[Olsr-dev] SmartGW client side questions

Sven-Ola Tuecke (spam-protected)
Wed Apr 28 10:15:40 CEST 2010 

Hey,

to be honest: one may mix up the rp_filter requirements easily. Here's a new 
summary. If I rp_filter=1 anything, I need:

smartgw client:
  ath0.rp_filter=0 (that's the olsr-mesh-interface)
  if(kernel>=2.6.31)all.rp_filter=0
smartgw server:
  tunl0.rp_filter=0 (that's the implicit avail iface after insmod ipip)
  if(kernel>=2.6.31)all.rp_filter=0

I think it does not hurt to disable rp_filter on the created tunnel interfaces 
as it's done currently. So all we need is to add "tunl0.rp_filter=0" (mind 
the letter 'l' aka. ELL!!!) statement in kernel_tunnel.c (see DEV_IPV4_TUNNEL 
string).

The "no tunl0.rp_filter file" issue with the XEN-2.6.18 really looks like a 
kernel bug to me now. You need to "rmmod ipip" *AND* "rmmod tunnel4", 
then "modprobe ipip". After this, do "ip link set dev tunl0 up" and the proc 
file exists. If you do not rmmod tunnel4 first, you need the additional "ip 
addr add 0.0.0.0/32 dev tunl0". Which is illegal to some extent too. I would 
simply mention that in the readme, e.g.

<readme>

For the SmartGW server, the implicit tunl0 interface is used to forward 
incoming packets from SmartGW clients to the internet route. With kernel-2.6, 
this is protected by the rp_filter. Note, that at least with RedHat kernel 
2.6.18, the net.ipv4.conf.tunl0.rp_filter sysctl file is not present after 
loading the "ipip" kernel module, which prevents OLSRD from switching off the 
filter. As a workaround, add a "ip addr add 0.0.0.0/32 dev tunl0" after 
the "modprobe ipip" line in your OLSRD startup script. 

While the SmartGW function does a fine job on stand-alone PCs, system builders 
should keep in mind the following facts when setting up routing, firewalls 
and gateways:

a) The SmartGW tunnel communicates asymmetrically. An IP packet destinned to 
an Internet server is sent via the IPIP tunnel but returned via the standard 
OLSRD host route.

b) On the SmartGW server, you should double check your firewall rules and 
rp_filter defaults. While it's normally not possible to simply encap e.g. 
a "telnet 127.0.0.1" into IPIP and sent that to the SmartGW server, your 
specific configuration may open up other attack vectors for an intruder.

c) Do not forget to un-firewall tunl0->internet and (if required to 
NAT/MASQUERADE) this communication path.

d) For the stand-alone client (Notebook user running OLSRD in order to browse) 
the lowered IPIP tunnel MTU is no problem. If you do proxy routing, e.g. for 
attached LAN clients without OLSRD, you may want MSS-clamping for the tunnel 
interface created by OLSRD. This may require a background job monitoring 
tunnel interfaces, because OLSRD uses an arbitrary name for the interface.

</readme>

I'm still no IPv6 expert, but the ip6tnl0 device needs rp_filter handling too?

// Sven-Ola

Am Dienstag 27 April 2010 20:04:53 schrieb Markus Kittenberger:
> On Tue, Apr 27, 2010 at 7:39 PM, Sven-Ola Tuecke <(spam-protected)> wrote:
> > ? it wrote about the smargw-server. Only if HNA4 is active - and only
> > then -
>
> jep only on the server side,..
>
> > you need tunl0.rp_filter=0 for the tunl0 iface on kernel-2.6. Otherwise
> > incoming stuff is discarded immediately and not forwarded to the inet
> > interface. Wheras older 2.6 kernels obvioulsy do not have tunl0.rp_filter
> > until they an IP is assigned.
>
> sounds like another kernel version specific adaption we need,.. )-;
>
> Markus

More information about the Olsr-dev mailing list