[Olsr-dev] SmartGW client side questions
Wed Apr 28 10:15:40 CEST 2010
to be honest: one may mix up the rp_filter requirements easily. Here's a new
summary. If I rp_filter=1 anything, I need:
ath0.rp_filter=0 (that's the olsr-mesh-interface)
tunl0.rp_filter=0 (that's the implicit avail iface after insmod ipip)
I think it does not hurt to disable rp_filter on the created tunnel interfaces
as it's done currently. So all we need is to add "tunl0.rp_filter=0" (mind
the letter 'l' aka. ELL!!!) statement in kernel_tunnel.c (see DEV_IPV4_TUNNEL
The "no tunl0.rp_filter file" issue with the XEN-2.6.18 really looks like a
kernel bug to me now. You need to "rmmod ipip" *AND* "rmmod tunnel4",
then "modprobe ipip". After this, do "ip link set dev tunl0 up" and the proc
file exists. If you do not rmmod tunnel4 first, you need the additional "ip
addr add 0.0.0.0/32 dev tunl0". Which is illegal to some extent too. I would
simply mention that in the readme, e.g.
For the SmartGW server, the implicit tunl0 interface is used to forward
incoming packets from SmartGW clients to the internet route. With kernel-2.6,
this is protected by the rp_filter. Note, that at least with RedHat kernel
2.6.18, the net.ipv4.conf.tunl0.rp_filter sysctl file is not present after
loading the "ipip" kernel module, which prevents OLSRD from switching off the
filter. As a workaround, add a "ip addr add 0.0.0.0/32 dev tunl0" after
the "modprobe ipip" line in your OLSRD startup script.
While the SmartGW function does a fine job on stand-alone PCs, system builders
should keep in mind the following facts when setting up routing, firewalls
a) The SmartGW tunnel communicates asymmetrically. An IP packet destinned to
an Internet server is sent via the IPIP tunnel but returned via the standard
OLSRD host route.
b) On the SmartGW server, you should double check your firewall rules and
rp_filter defaults. While it's normally not possible to simply encap e.g.
a "telnet 127.0.0.1" into IPIP and sent that to the SmartGW server, your
specific configuration may open up other attack vectors for an intruder.
c) Do not forget to un-firewall tunl0->internet and (if required to
NAT/MASQUERADE) this communication path.
d) For the stand-alone client (Notebook user running OLSRD in order to browse)
the lowered IPIP tunnel MTU is no problem. If you do proxy routing, e.g. for
attached LAN clients without OLSRD, you may want MSS-clamping for the tunnel
interface created by OLSRD. This may require a background job monitoring
tunnel interfaces, because OLSRD uses an arbitrary name for the interface.
I'm still no IPv6 expert, but the ip6tnl0 device needs rp_filter handling too?
Am Dienstag 27 April 2010 20:04:53 schrieb Markus Kittenberger:
> On Tue, Apr 27, 2010 at 7:39 PM, Sven-Ola Tuecke <(spam-protected)> wrote:
> > ? it wrote about the smargw-server. Only if HNA4 is active - and only
> > then -
> jep only on the server side,..
> > you need tunl0.rp_filter=0 for the tunl0 iface on kernel-2.6. Otherwise
> > incoming stuff is discarded immediately and not forwarded to the inet
> > interface. Wheras older 2.6 kernels obvioulsy do not have tunl0.rp_filter
> > until they an IP is assigned.
> sounds like another kernel version specific adaption we need,.. )-;
More information about the Olsr-dev