Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent VXLAN packages from Wired mesh from entering BATMAN #3025

Open
jplitza opened this issue Oct 15, 2023 · 5 comments
Open

Prevent VXLAN packages from Wired mesh from entering BATMAN #3025

jplitza opened this issue Oct 15, 2023 · 5 comments

Comments

@jplitza
Copy link
Member

jplitza commented Oct 15, 2023

Bug report

What is the problem?

Due to miscabling/misconfiguration, it is possible for packets coming from the mesh to be encapsulated in VXLAN packets, sent out of a wired mesh port, arriving at a LAN port of another node and then and being fed back into the mesh with the VXLAN encapsulation as multicast.

What is the expected behaviour?

A node receiving VXLAN packets with the correct VNI and destination address for its domain does not forward them into the mesh, even if received on a port not configured for wired mesh.

Gluon Version:

v2021.1.2 (but probably later as well?)

Site Configuration:

https://github.com/FreifunkBremen/gluon-site-ffhb

Custom patches:
@neocturne
Copy link
Member

Hmm, in the past, gluon-ebtables-filter-multicast should have caught such packets, but this has been relaxed in 98f3f63. In theory, batman-adv's noflood feature should ensure that these packets are never flooded through the mesh, and only forwarded to nodes that have joined the multicast group.

I guess we could add a specific rule to never allow packets to Gluon's multicast group address.

cc @T-X

@T-X
Copy link
Contributor

T-X commented Oct 17, 2023

Good question. I'm wondering if it could actually be a feature. For example I could have a building/dorm/allotment use it's own, local Gluon mesh domain. But with bordering nodes into the city wide Gluon mesh domain. Then the city's mesh packets could travel from one side of the local area domain to the other via mesh-on-wan/lan / VXLAN. As long as there are not too many bordering nodes in the local mesh domain, due to BATMAN's O(n^2) overhead relative to the number of neighbor nodes.

If we could filter with ebtables for the VXLAN VNI, that would be great. But as far as I know we can't easily do that with ebtables right now. So yeah, maybe then ebtables filtering for IPv6 destination ff02::15c + UDP destination port 4789 would be safer for now.

@jplitza
Copy link
Member Author

jplitza commented Oct 17, 2023

In theory, batman-adv's noflood feature should ensure that these packets are never flooded through the mesh, and only forwarded to nodes that have joined the multicast group.

I arrived at that conclusion a few hours later as well (by sniffing the interface below). ;-) So I'm not sad if this issue is simply closed.

@neocturne
Copy link
Member

Still seems like it might have very weird effects (including lost packets due to MTU issues) as soon as two nodes are connected incorrectly. I'd prefer gluon-ebtables-filter-multicast to overblock by default; requiring to disable it for some unusual use cases is fine (and making it more configurable is also a long-term wishlist item...)

@Djfe

This comment was marked as resolved.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@T-X @neocturne @jplitza @Djfe