Skip to content

Commit

Permalink
gluon-mesh-batman-adv-brmldproxy: add package
Browse files Browse the repository at this point in the history
Now that we have general support for routable IPv6 multicast address in
Gluon master thanks to the newer Linux (bridge) and batman-adv versions
it becomes more interesting to also support layer 3 IPv6 multicast
routers.

So far this was also not possible with the default settings in Gluon
due to filtering MLD into the mesh. This now adds support for
brmldproxy, a daemon which proxies MLD reports between bridge ports.

For the Gluon scenario this package adds brmldproxy proxying
configuration for the mesh side bat0 bridge port.

The configuration is tuned in a way to enable the usage of
layer 3 IPv6 multicast routers for routable IPv6 multicast
address ranges. But with a lot smaller MLD overhead
compared to the filter_membership_reports=false site.conf option.

If a node has no multicast listener for a routable IPv6
multicast address then this node will emit no MLD report
into the mesh. Furthermore, if a node has multiple multicast
listening hosts for routable IPv6 multicast addresses then the
node will act in deputy and respond with combined, aggregated
MLD reports on behalf.

This package is currently incompatible with a
filter_membership_reports=true site.conf option.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
  • Loading branch information
T-X committed Sep 23, 2023
1 parent 46b90c1 commit f1ff246
Show file tree
Hide file tree
Showing 7 changed files with 129 additions and 3 deletions.
1 change: 1 addition & 0 deletions docs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
package/gluon-hoodselector
package/gluon-logging
package/gluon-mesh-batman-adv
package/gluon-mesh-batman-adv-brmldproxy
package/gluon-mesh-wireless-sae
package/gluon-radv-filterd
package/gluon-scheduled-domain-switch
Expand Down
32 changes: 32 additions & 0 deletions docs/package/gluon-mesh-batman-adv-brmldproxy.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
gluon-mesh-batman-adv-brmldproxy
================================

The *gluon-mesh-batman-adv-brmldproxy* package adds configuration
to enable `brmldproxy`_ in Gluon with batman-adv.

The configuration is tuned in a way to enable the usage of
layer 3 IPv6 multicast routers for routable IPv6 multicast
address ranges. But with a lot smaller MLD overhead
compared to the `filter_membership_reports=false`
:ref:`site.conf <user-site-mesh>` option.

If a node has no multicast listener for a routable IPv6
multicast address then this node will emit no MLD report
into the mesh. Furthermore, if a node has multiple multicast
listening hosts for routable IPv6 multicast addresses then the
node will act in deputy and respond with combined, aggregated
MLD reports on behalf.

This package is currently incompatible with a
`filter_membership_reports=false`
:ref:`site.conf <user-site-mesh>` option.

----

Notable layer 3 IPv6 multicast router implementations:

* pim6sd: https://github.com/troglobit/pim6sd
* HowTo at DN42: https://dn42.dev/howto/IPv6-Multicast
* lcroute: https://codeberg.org/librecast/lcroute

.. _brmldproxy: https://github.com/T-X/brmldproxy
19 changes: 16 additions & 3 deletions docs/package/gluon-mesh-batman-adv.rst
Original file line number Diff line number Diff line change
Expand Up @@ -137,14 +137,16 @@ batman-adv. Which even with IGMP/MLD filtered, will have full multicast
membership knowledge through its own propagation through the batman-adv
translation table.

Advantages are:
**Advantages:**

* Reduced overhead through reactive batman-adv multicast TT vs.
periodic IGMP/MLD messages in the mesh
* Increased IGMP/MLD snooping robustness via local, per node
IGMP/MLD queriers
* DDoS vector mitigation

**Limitations:**

**Note:** For nodes running an operating system other than Gluon, but a bridge
interface on top of the batman-adv interface, you will need to set the
multicast router flag there manually:
Expand All @@ -159,12 +161,23 @@ assume that there is no multicast router behind this port, meaning
to only forward multicast to this port if an according multicast
listener on this link was detected.

Further limitations: IGMP/MLD snooping switches (e.g. "enterprise switches")
IGMP/MLD snooping switches (e.g. "enterprise switches")
behind the client network of a node (LAN ports) are unsupported. It is
advised to disable IGMP/MLD snooping on those enterprise switches for now
or to at least manually mark the port to the Gluon router as a
"multicast router port".

Alternatively, the filtering of IGMP/MLD reports can be disabled via
Also IPv4/IPv6 multicast routers are unsupported, unless the
:doc:`gluon-mesh-batman-adv-brmldproxy` package is installed.

**Configuration options:**

The filtering of IGMP/MLD reports can be disabled via
the site.conf (which is not recommended in large meshes though).
See :ref:`site.conf mesh section <user-site-mesh>` for details.

Another alternative is to install the :doc:`gluon-mesh-batman-adv-brmldproxy`
package. Which allows proxied MLD reports for listeners of
routable IPv6 multicast addresses, while keeping link-local
IPv6 multicast addresses filtered. This allows using IPv6
multicast routers.
36 changes: 36 additions & 0 deletions package/gluon-mesh-batman-adv-brmldproxy/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
include $(TOPDIR)/rules.mk

PKG_NAME:=gluon-mesh-batman-adv-brmldproxy

include ../gluon.mk

define Package/gluon-mesh-batman-adv-brmldproxy
TITLE:=Bridge MLD Proxy for Gluon
DEPENDS:=+brmldproxy gluon-mesh-batman-adv
endef

define Package/gluon-mesh-batman-adv-brmldproxy/description
Gluon community wifi mesh firmware framework: Configuration to
enable brmldproxy in Gluon with batman-adv.

The configuration is tuned in a way to enable the usage of
layer 3 IPv6 multicast routers for routable IPv6 multicast
address ranges. But with a lot smaller MLD overhead
compared to the filter_membership_reports=false site.conf option.

If a node has no multicast listener for a routable IPv6
multicast address then this node will emit no MLD report
into the mesh. Furthermore, if a node has multiple multicast
listening hosts for routable IPv6 multicast addresses then the
node will act in deputy and respond with combined, aggregated
MLD reports on behalf.

This package is currently incompatible with a
filter_membership_reports=true site.conf option.
endef

define Package/gluon-mesh-batman-adv-brmldproxy/conffiles
/etc/config/brmldproxy
endef

$(eval $(call BuildPackageGluon,gluon-mesh-batman-adv-brmldproxy))
1 change: 1 addition & 0 deletions package/gluon-mesh-batman-adv-brmldproxy/check_site.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
need_value(in_site({'mesh', 'filter_membership_reports'}), true, false)
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
config brmldproxy 'client'
option disabled '0'
option bridge 'client'
option family 'ipv6'
list proxiedport 'bat0'
list excludedport 'local-port'
list excludefilter 'ff05::2:1001'
list excludefilter 'ff02::/ff0f::'
list excludefilter 'ff00::/ff0e::'
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#!/usr/bin/lua

local uci = require('simple-uci').cursor()

-- Allow incoming MLD on brmldp0/1/... devices
uci:section('firewall', 'rule', 'brmldproxy_mld_in', {
name = 'brmldproxy_mld_in',
device = 'brmldp+',
direction = 'in',
src = '*',
src_ip = 'fe80::/10',
target = 'ACCEPT',
family = 'ipv6',
proto = 'icmp',
icmp_type = { '130/0', '131/0', '132/0', '143/0', },
})

-- Fix default mark of MLDv2 reports (bug in the Linux IPv6 stack)
-- See: https://marc.info/?l=netfilter&m=168959399302909
-- Subject: skb->mark not cleared for MLDv2 Reports? (skb->mark == 212 / 0xd4)
uci:section('firewall', 'rule', 'brmldproxy_mldv2_mark_fixup', {
name = 'brmldproxy_mldv2_mark_fixup',
device = 'brmldp+',
direction = 'out',
dest = '*',
src_ip = 'fe80::/10',
target = 'MARK',
set_mark = '0x0',
family = 'ipv6',
proto = 'icmp',
icmp_type = { '143/0', },
})

uci:save('firewall')

0 comments on commit f1ff246

Please sign in to comment.