Skip to content
Snippets Groups Projects
Select Git revision
  • testbuild
  • v2020.2.x-ffbs-next
  • v2021.1.x-ffbs-next
  • v2019.1.x-ffbs
  • v2020.1.x-ffbs-next
  • v2019.1.x-ffbs-next
  • dnat
  • master default protected
  • v2018.2.x-ffbs
  • v2018.2.2.1-ffbs
  • topic/wireguard_respondd
  • v2018.1.x-ffbs
  • v2017.1.x
  • v2020.2.3.6-ffbs-next
  • v2020.2.3.5-ffbs-next
  • v2020.2.3.4-ffbs-next
  • v2020.2.3.3-ffbs-next
  • v2020.2.3.2-ffbs-next
  • v2020.2.3.1-ffbs-next
  • v2020.2.3.0-ffbs-next
  • v2020.2.3
  • v2020.2.2.2-ffbs-next
  • v2020.2.2.1-ffbs-next
  • v2020.2.2-ffbs-next
  • v2020.2.2
  • v2020.2.1.2-ffbs-next
  • v2019.1.3-ffbs
  • v2019.1.3
  • v2020.2.1.1-ffbs-next
  • v2020.2.1
  • v2020.1.4
  • v2019.1.2.1-ffbs
  • v2020.2
33 results
Blame Permalink
Forked from ffbs / ffbs-gluon
2411 commits behind, 26 commits ahead of the upstream repository.
  • Sven Eckelmann's avatar
    a7a5db9f
    gluon-mesh-batman-adv: Drop IPv4 anycast related packets from/to bat0 · a7a5db9f
    Sven Eckelmann authored 
    The commit b3762fc6 ("gluon-client-bridge: move IPv4 local subnet route
to br-client (#1312)") moves the IPv4 prefix from the local-port interface
to br-client. A client requesting an IPv4 connection to the IPv4 anycast
address of the node (the device running gluon) will create following
packets:

1. ARP packet from client to get the MAC of the mac address of the anycast
   IPv4 address
2. ARP reply from node to client with the anycast MAC address for the IPv4
   anycast address
3. IPv4 packet from client which requires reply (for example ICMP echo
   request)
4. ARP request for the client MAC address for its IPv4 address in prefix4
   (done with the mac address of br-client and transmitted over br-client)
5. IPv4 packet from node (transmitted over br-client with br-client MAC
   address) as reply for the client IPv4 packet (for example ICMP echo
   reply)

The step 4 is extremely problematic here. ARP replies with the anycast IPv4
address must not be submitted or received via bat0 - expecially not when it
contains an node specific MAC address as source. When it is still done then
the wrong MAC address is stored in the batadv DAT cache and ARP packet is
maybe even forwarded to clients. This latter is especially true for ARP
requests which are broadcast and will be flooded to the complete mesh.

Clients will see these ARP packets and change their own neighbor IP
(translation) table. They will then try to submit the packets for IPv4
anycast addresses to the complete wrong device in the mesh. This will for
example break the access to the status page to the connected device or the
anycast DNS forwarder implementation. Especially the latter causes extreme
latency when clients try to connect to server using a domain name or even
breaks the connection setup process completely. Both are caused by the
unanswered DNS requests which at first glance look like packet loss.

An node must therefore take care of:

* not transmitting ARP packets related to the anycast IPv4 address over
  bat0
* drop ARP packets related to the anycast IPv4 when they are received on
  bat0 from a still broken node
* don't accept ARP packets related to the anycast IPv4 replies on local
  node when it comes from bat0

Fixes: b3762fc6 ("gluon-client-bridge: move IPv4 local subnet route to br-client (#1312)")
    a7a5db9f
    History
    gluon-mesh-batman-adv: Drop IPv4 anycast related packets from/to bat0
    Sven Eckelmann authored 
    The commit b3762fc6 ("gluon-client-bridge: move IPv4 local subnet route
to br-client (#1312)") moves the IPv4 prefix from the local-port interface
to br-client. A client requesting an IPv4 connection to the IPv4 anycast
address of the node (the device running gluon) will create following
packets:

1. ARP packet from client to get the MAC of the mac address of the anycast
   IPv4 address
2. ARP reply from node to client with the anycast MAC address for the IPv4
   anycast address
3. IPv4 packet from client which requires reply (for example ICMP echo
   request)
4. ARP request for the client MAC address for its IPv4 address in prefix4
   (done with the mac address of br-client and transmitted over br-client)
5. IPv4 packet from node (transmitted over br-client with br-client MAC
   address) as reply for the client IPv4 packet (for example ICMP echo
   reply)

The step 4 is extremely problematic here. ARP replies with the anycast IPv4
address must not be submitted or received via bat0 - expecially not when it
contains an node specific MAC address as source. When it is still done then
the wrong MAC address is stored in the batadv DAT cache and ARP packet is
maybe even forwarded to clients. This latter is especially true for ARP
requests which are broadcast and will be flooded to the complete mesh.

Clients will see these ARP packets and change their own neighbor IP
(translation) table. They will then try to submit the packets for IPv4
anycast addresses to the complete wrong device in the mesh. This will for
example break the access to the status page to the connected device or the
anycast DNS forwarder implementation. Especially the latter causes extreme
latency when clients try to connect to server using a domain name or even
breaks the connection setup process completely. Both are caused by the
unanswered DNS requests which at first glance look like packet loss.

An node must therefore take care of:

* not transmitting ARP packets related to the anycast IPv4 address over
  bat0
* drop ARP packets related to the anycast IPv4 when they are received on
  bat0 from a still broken node
* don't accept ARP packets related to the anycast IPv4 replies on local
  node when it comes from bat0

Fixes: b3762fc6 ("gluon-client-bridge: move IPv4 local subnet route to br-client (#1312)")
250-next-node 2.21 KiB