Merge pull request #2209 from T-X/pr-batman-adv-noflood+mcast-fw-relax

c97be1e1 · Martin Weinelt · GitHub · 20f665b1 · 98f3f638 · c97be1e1
Unverified Commit c97be1e1 authored 3 years ago by Martin Weinelt Committed by GitHub 3 years ago
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
+++ b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
+rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP')
+rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN')
 rule ('MULTICAST_OUT -j DROP')
--- a/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh
+++ b/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh
@@ -47,6 +47,7 @@ proto_gluon_bat0_setup() {
 	batctl orig_interval 5000
 	batctl hop_penalty "$(lookup_uci 'gluon.mesh_batman_adv.hop_penalty' 15)"
+	batctl noflood_mark 0x4/0x4
 	case "$gw_mode" in
 		server)

--- a/patches/packages/routing/0003-batman-adv-Introduce-no-noflood-mark.patch
+++ b/patches/packages/routing/0003-batman-adv-Introduce-no-noflood-mark.patch
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Sat, 1 May 2021 22:19:03 +0200
+Subject: batman-adv: Introduce no noflood mark
+This mark prevents a multicast packet being flooded through the whole
+mesh. The advantage of marking certain multicast packets via e.g.
+ebtables instead of dropping is then the following:
+This allows an administrator to let specific multicast packets pass as
+long as they are forwarded to a limited number of nodes only and are
+therefore creating no burdon to unrelated nodes.
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+diff --git a/batman-adv/patches/0034-batman-adv-Introduce-no-noflood-mark.patch b/batman-adv/patches/0034-batman-adv-Introduce-no-noflood-mark.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..2ccb6da270acf41e56f9a37801e23301e592b112
+--- /dev/null
+++ b/batman-adv/patches/0034-batman-adv-Introduce-no-noflood-mark.patch
+@@ -0,0 +1,167 @@
+From 25b21382238c783298c0d8defc8c739126c1b54d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Sat, 31 Mar 2018 03:36:19 +0200
+Subject: [PATCH] batman-adv: Introduce no noflood mark
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This mark prevents a multicast packet being flooded through the whole
+mesh. The advantage of marking certain multicast packets via e.g.
+ebtables instead of dropping is then the following:
+
+This allows an administrator to let specific multicast packets pass as
+long as they are forwarded to a limited number of nodes only and are
+therefore creating no burdon to unrelated nodes.
+
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+
+---
+
+https://www.open-mesh.org/projects/batman-adv/wiki/Noflood-broadcast-prevention
+
+Changelog v2:
+
+* rebased to master
+* sysfs -> netlink
+---
+ include/uapi/linux/batman_adv.h | 12 ++++++++++++
+ net/batman-adv/netlink.c        | 22 ++++++++++++++++++++++
+ net/batman-adv/soft-interface.c | 20 ++++++++++++++++++++
+ net/batman-adv/types.h          | 12 ++++++++++++
+ 4 files changed, 66 insertions(+)
+
+diff --git a/include/uapi/linux/batman_adv.h b/include/uapi/linux/batman_adv.h
+index 67f46367..6fabb7aa 100644
+--- a/include/uapi/linux/batman_adv.h
++++ b/include/uapi/linux/batman_adv.h
+@@ -480,6 +480,18 @@ enum batadv_nl_attrs {
+ 	 */
+ 	BATADV_ATTR_MULTICAST_FANOUT,
+ 
++	/**
++	 * @BATADV_ATTR_NOFLOOD_MARK: the noflood mark which allows to tag
++	 *  frames which should never be broadcast flooded through the mesh.
++	 */
++	BATADV_ATTR_NOFLOOD_MARK,
++
++	/**
++	 * @BATADV_ATTR_NOFLOOD_MASK: the noflood (bit)mask which allows to tag
++	 *  frames which should never be broadcast flooded through the mesh.
++	 */
++	BATADV_ATTR_NOFLOOD_MASK,
++
+ 	/* add attributes above here, update the policy in netlink.c */
+ 
+ 	/**
+diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
+index e1978bc5..3d2c147a 100644
+--- a/net/batman-adv/netlink.c
++++ b/net/batman-adv/netlink.c
+@@ -134,6 +134,8 @@ static const struct nla_policy batadv_netlink_policy[NUM_BATADV_ATTR] = {
+ 	[BATADV_ATTR_AP_ISOLATION_ENABLED]	= { .type = NLA_U8 },
+ 	[BATADV_ATTR_ISOLATION_MARK]		= { .type = NLA_U32 },
+ 	[BATADV_ATTR_ISOLATION_MASK]		= { .type = NLA_U32 },
++	[BATADV_ATTR_NOFLOOD_MARK]		= { .type = NLA_U32 },
++	[BATADV_ATTR_NOFLOOD_MASK]		= { .type = NLA_U32 },
+ 	[BATADV_ATTR_BONDING_ENABLED]		= { .type = NLA_U8 },
+ 	[BATADV_ATTR_BRIDGE_LOOP_AVOIDANCE_ENABLED]	= { .type = NLA_U8 },
+ 	[BATADV_ATTR_DISTRIBUTED_ARP_TABLE_ENABLED]	= { .type = NLA_U8 },
+@@ -286,6 +288,14 @@ static int batadv_netlink_mesh_fill(struct sk_buff *msg,
+ 			bat_priv->isolation_mark_mask))
+ 		goto nla_put_failure;
+ 
++	if (nla_put_u32(msg, BATADV_ATTR_NOFLOOD_MARK,
++			bat_priv->noflood_mark))
++		goto nla_put_failure;
++
++	if (nla_put_u32(msg, BATADV_ATTR_NOFLOOD_MASK,
++			bat_priv->noflood_mark_mask))
++		goto nla_put_failure;
++
+ 	if (nla_put_u8(msg, BATADV_ATTR_BONDING_ENABLED,
+ 		       !!atomic_read(&bat_priv->bonding)))
+ 		goto nla_put_failure;
+@@ -466,6 +476,18 @@ static int batadv_netlink_set_mesh(struct sk_buff *skb, struct genl_info *info)
+ 		bat_priv->isolation_mark_mask = nla_get_u32(attr);
+ 	}
+ 
++	if (info->attrs[BATADV_ATTR_NOFLOOD_MARK]) {
++		attr = info->attrs[BATADV_ATTR_NOFLOOD_MARK];
++
++		bat_priv->noflood_mark = nla_get_u32(attr);
++	}
++
++	if (info->attrs[BATADV_ATTR_NOFLOOD_MASK]) {
++		attr = info->attrs[BATADV_ATTR_NOFLOOD_MASK];
++
++		bat_priv->noflood_mark_mask = nla_get_u32(attr);
++	}
++
+ 	if (info->attrs[BATADV_ATTR_BONDING_ENABLED]) {
+ 		attr = info->attrs[BATADV_ATTR_BONDING_ENABLED];
+ 
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index c99facdb..4e71b9f3 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -176,6 +176,23 @@ static void batadv_interface_set_rx_mode(struct net_device *dev)
+ {
+ }
+ 
++/**
++ * batadv_send_skb_has_noflood_mark() - check if packet has a noflood mark
++ * @bat_priv: the bat priv with all the soft interface information
++ * @skb: the packet to check
++ *
++ * Return: True if the skb's mark matches a configured noflood mark and
++ * noflood mark mask. False otherwise.
++ */
++static bool
++batadv_skb_has_noflood_mark(struct batadv_priv *bat_priv, struct sk_buff *skb)
++{
++	u32 match_mark = skb->mark & bat_priv->noflood_mark_mask;
++
++	return bat_priv->noflood_mark_mask &&
++	       match_mark == bat_priv->noflood_mark;
++}
++
+ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb,
+ 				       struct net_device *soft_iface)
+ {
+@@ -326,6 +343,9 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb,
+ 		if (batadv_dat_snoop_outgoing_arp_request(bat_priv, skb))
+ 			brd_delay = msecs_to_jiffies(ARP_REQ_DELAY);
+ 
++		if (batadv_skb_has_noflood_mark(bat_priv, skb))
++			goto dropped;
++
+ 		if (batadv_skb_head_push(skb, sizeof(*bcast_packet)) < 0)
+ 			goto dropped;
+ 
+diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
+index c0ded822..09c877fa 100644
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -1599,6 +1599,18 @@ struct batadv_priv {
+ 	 */
+ 	u32 isolation_mark_mask;
+ 
++	/**
++	 * @noflood_mark: the skb->mark value used to allow directed targeting
++	 *  only
++	 */
++	u32 noflood_mark;
++
++	/**
++	 * @noflood_mark_mask: bitmask identifying the bits in skb->mark to be
++	 *  used for the noflood mark
++	 */
++	u32 noflood_mark_mask;
++
+ 	/** @bcast_seqno: last sent broadcast packet sequence number */
+ 	atomic_t bcast_seqno;
+ 
+-- 
+2.31.0
+
--- a/patches/packages/routing/0004-batctl-Add-noflood_mark-command.patch
+++ b/patches/packages/routing/0004-batctl-Add-noflood_mark-command.patch
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+Date: Sat, 1 May 2021 22:19:41 +0200
+Subject: batctl: Add noflood_mark command
+Adds support for the new 'noflood_mark' setting in batman-adv.
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+diff --git a/batctl/patches/0012-batctl-Add-noflood_mark-command.patch b/batctl/patches/0012-batctl-Add-noflood_mark-command.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..296f3c51b79333a8e96c340d151ba00b8f457120
+--- /dev/null
+++ b/batctl/patches/0012-batctl-Add-noflood_mark-command.patch
+@@ -0,0 +1,273 @@
+From c14abebbeb4af76600cd6eb508e5e4e38a436b2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Fri, 26 Apr 2019 19:27:38 +0200
+Subject: [PATCH] batctl: Add noflood_mark command
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Adds support for the new 'noflood_mark' setting in batman-adv.
+
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+---
+Changelog v3:
+* changed command from a noflood tri-state option
+  to a value/mask one similar to the isolation mark
+* noflood.c -> noflood_mark.c
+
+Changelog v2:
+* added noflood.c
+---
+ Makefile       |   1 +
+ README.rst     |  15 ++++++
+ batman_adv.h   |  12 +++++
+ man/batctl.8   |  23 ++++++++
+ noflood_mark.c | 141 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 192 insertions(+)
+ create mode 100644 noflood_mark.c
+
+diff --git a/Makefile b/Makefile
+index e3747a2..686de7e 100755
+--- a/Makefile
++++ b/Makefile
+@@ -61,6 +61,7 @@ $(eval $(call add_command,multicast_mode,y))
+ $(eval $(call add_command,nc_nodes,y))
+ $(eval $(call add_command,neighbors,y))
+ $(eval $(call add_command,network_coding,y))
++$(eval $(call add_command,noflood_mark,y))
+ $(eval $(call add_command,orig_interval,y))
+ $(eval $(call add_command,originators,y))
+ $(eval $(call add_command,ping,y))
+diff --git a/README.rst b/README.rst
+index 128f539..bc937d2 100644
+--- a/README.rst
++++ b/README.rst
+@@ -582,6 +582,21 @@ Usage::
+ * Example 4: ``batctl mark 0x0f``
+ 
+ 
++batctl noflood_mark
++=======================
++
++display or modify noflood_mark setting
++
++Usage::
++
++  batctl noflood_mark|nf $value[/0x$mask]
++
++* Example 1: ``batctl nf 0x00000001/0xffffffff``
++* Example 2: ``batctl nf 0x00040000/0xffff0000``
++* Example 3: ``batctl nf 16``
++* Example 4: ``batctl nf 0x0f``
++
++
+ batctl translocal
+ =================
+ 
+diff --git a/batman_adv.h b/batman_adv.h
+index 67f4636..6fabb7a 100644
+--- a/batman_adv.h
++++ b/batman_adv.h
+@@ -480,6 +480,18 @@ enum batadv_nl_attrs {
+ 	 */
+ 	BATADV_ATTR_MULTICAST_FANOUT,
+ 
++	/**
++	 * @BATADV_ATTR_NOFLOOD_MARK: the noflood mark which allows to tag
++	 *  frames which should never be broadcast flooded through the mesh.
++	 */
++	BATADV_ATTR_NOFLOOD_MARK,
++
++	/**
++	 * @BATADV_ATTR_NOFLOOD_MASK: the noflood (bit)mask which allows to tag
++	 *  frames which should never be broadcast flooded through the mesh.
++	 */
++	BATADV_ATTR_NOFLOOD_MASK,
++
+ 	/* add attributes above here, update the policy in netlink.c */
+ 
+ 	/**
+diff --git a/man/batctl.8 b/man/batctl.8
+index d42b682..5489c2e 100644
+--- a/man/batctl.8
++++ b/man/batctl.8
+@@ -124,6 +124,29 @@ If no parameter is given the current multicast fanout setting is displayed. Othe
+ the multicast fanout. The multicast fanout defines the maximum number of packet copies that may be generated for a
+ multicast-to-unicast conversion. Once this limit is exceeded distribution will fall back to broadcast.
+ .br
++.IP "\fBnoflood_mark\fP|\fBnf\fP"
++If no parameter is given the current noflood mark value is displayed.
++Otherwise the parameter is used to set or unset the noflood mark. The
++noflood mark allows to prevent broadcast flooding of a frame which
++was previously tagged via netfilter for instance. batman-adv will
++then only forward a frame into the mesh if destined to a limited
++number of destination nodes and drop the frame otherwise.
++.br
++The input is supposed to be of the form $value/$mask, where $value can be any
++32bit long integer (expressed in decimal or hex base) and $mask is a generic
++bitmask (expressed in hex base) that selects the bits to take into consideration
++from $value. It is also possible to enter the input using only $value and in
++this case the full bitmask is used by default.
++
++.br
++.br
++Example 1: 0x00000001/0xffffffff
++.br
++Example 2: 0x00040000/0xffff0000
++.br
++Example 3: 16 or 0x0F
++.br
++.br
+ .IP "\fBloglevel\fP|\fBll\fP [\fBlevel\fP[ \fBlevel\fP[ \fBlevel\fP]] \fB...\fP]"
+ If no parameter is given the current log level settings are displayed otherwise the parameter(s) is/are used to set the log
+ level. Level 'none' disables all verbose logging. Level 'batman' enables messages related to routing / flooding / broadcasting.
+diff --git a/noflood_mark.c b/noflood_mark.c
+new file mode 100644
+index 0000000..e89205c
+--- /dev/null
++++ b/noflood_mark.c
+@@ -0,0 +1,141 @@
++// SPDX-License-Identifier: GPL-2.0
++/* Copyright (C) 2009-2019  B.A.T.M.A.N. contributors:
++ *
++ * Antonio Quartulli <a@unstable.cc>
++ * Linus Lüssing <linus.luessing@c0d3.blue>
++ *
++ * License-Filename: LICENSES/preferred/GPL-2.0
++ */
++
++#include <errno.h>
++#include <stddef.h>
++#include <stdint.h>
++#include <string.h>
++
++#include "main.h"
++#include "sys.h"
++
++static struct noflood_mark_data {
++	uint32_t noflood_mark;
++	uint32_t noflood_mask;
++} noflood_mark;
++
++static int parse_noflood_mark(struct state *state, int argc, char *argv[])
++{
++	struct settings_data *settings = state->cmd->arg;
++	struct noflood_mark_data *data = settings->data;
++	char *mask_ptr;
++	char buff[256];
++	uint32_t mark;
++	uint32_t mask;
++	char *endptr;
++
++	if (argc != 2) {
++		fprintf(stderr, "Error - incorrect number of arguments (expected 1)\n");
++		return -EINVAL;
++	}
++
++	strncpy(buff, argv[1], sizeof(buff));
++	buff[sizeof(buff) - 1] = '\0';
++
++	/* parse the mask if it has been specified, otherwise assume the mask is
++	 * the biggest possible
++	 */
++	mask = 0xFFFFFFFF;
++	mask_ptr = strchr(buff, '/');
++	if (mask_ptr) {
++		*mask_ptr = '\0';
++		mask_ptr++;
++
++		/* the mask must be entered in hex base as it is going to be a
++		 * bitmask and not a prefix length
++		 */
++		mask = strtoul(mask_ptr, &endptr, 16);
++		if (!endptr || *endptr != '\0')
++			goto inval_format;
++	}
++
++	/* the mark can be entered in any base */
++	mark = strtoul(buff, &endptr, 0);
++	if (!endptr || *endptr != '\0')
++		goto inval_format;
++
++	data->noflood_mask = mask;
++	/* erase bits not covered by the mask */
++	data->noflood_mark = mark & mask;
++
++	return 0;
++
++inval_format:
++	fprintf(stderr, "Error - incorrect number of arguments (expected 1)\n");
++	fprintf(stderr, "The following formats for mark(/mask) are allowed:\n");
++	fprintf(stderr, " * 0x12345678\n");
++	fprintf(stderr, " * 0x12345678/0xabcdef09\n");
++	return -EINVAL;
++}
++
++static int print_noflood_mark(struct nl_msg *msg, void *arg)
++{
++	struct nlattr *attrs[BATADV_ATTR_MAX + 1];
++	struct nlmsghdr *nlh = nlmsg_hdr(msg);
++	struct genlmsghdr *ghdr;
++	int *result = arg;
++
++	if (!genlmsg_valid_hdr(nlh, 0))
++		return NL_OK;
++
++	ghdr = nlmsg_data(nlh);
++
++	if (nla_parse(attrs, BATADV_ATTR_MAX, genlmsg_attrdata(ghdr, 0),
++		      genlmsg_len(ghdr), batadv_netlink_policy)) {
++		return NL_OK;
++	}
++
++	if (!attrs[BATADV_ATTR_NOFLOOD_MARK] ||
++	    !attrs[BATADV_ATTR_NOFLOOD_MASK])
++		return NL_OK;
++
++	printf("0x%08x/0x%08x\n",
++	       nla_get_u32(attrs[BATADV_ATTR_NOFLOOD_MARK]),
++	       nla_get_u32(attrs[BATADV_ATTR_NOFLOOD_MASK]));
++
++	*result = 0;
++	return NL_STOP;
++}
++
++static int get_noflood_mark(struct state *state)
++{
++	return sys_simple_nlquery(state, BATADV_CMD_GET_MESH,
++				  NULL, print_noflood_mark);
++}
++
++static int set_attrs_noflood_mark(struct nl_msg *msg, void *arg)
++{
++	struct state *state = arg;
++	struct settings_data *settings = state->cmd->arg;
++	struct noflood_mark_data *data = settings->data;
++
++	nla_put_u32(msg, BATADV_ATTR_NOFLOOD_MARK, data->noflood_mark);
++	nla_put_u32(msg, BATADV_ATTR_NOFLOOD_MASK, data->noflood_mask);
++
++	return 0;
++}
++
++static int set_noflood_mark(struct state *state)
++{
++	return sys_simple_nlquery(state, BATADV_CMD_SET_MESH,
++				  set_attrs_noflood_mark, NULL);
++}
++
++static struct settings_data batctl_settings_noflood_mark = {
++	.sysfs_name = NULL,
++	.data = &noflood_mark,
++	.parse = parse_noflood_mark,
++	.netlink_get = get_noflood_mark,
++	.netlink_set = set_noflood_mark,
++};
++
++COMMAND_NAMED(SUBCOMMAND, noflood_mark, "nf", handle_sys_setting,
++	      COMMAND_FLAG_MESH_IFACE | COMMAND_FLAG_NETLINK,
++	      &batctl_settings_noflood_mark,
++	      "[mark]            \tdisplay or modify noflood_mark setting");
+-- 
+2.31.0
+