[Olsr-dev] SmartGW client side questions

Wed Apr 28 11:20:30 CEST 2010

On Wed April 28 2010 10:15:40 Sven-Ola Tuecke wrote:
> Hey,
> 
> to be honest: one may mix up the rp_filter requirements easily. Here's a
> new summary. If I rp_filter=1 anything, I need:
> 
> smartgw client:
>   ath0.rp_filter=0 (that's the olsr-mesh-interface)
>   if(kernel>=2.6.31)all.rp_filter=0
> smartgw server:
>   tunl0.rp_filter=0 (that's the implicit avail iface after insmod ipip)
>   if(kernel>=2.6.31)all.rp_filter=0
Hmm... do you think we can combine this into setting rp_filter=0 on all mesh 
interfaces and the tunl0 interface on both client and server ? This would make 
switching between client and server much easier.
 
> I think it does not hurt to disable rp_filter on the created tunnel
> interfaces as it's done currently. So all we need is to add
> "tunl0.rp_filter=0" (mind the letter 'l' aka. ELL!!!) statement in
> kernel_tunnel.c (see DEV_IPV4_TUNNEL string).
Ok.

> The "no tunl0.rp_filter file" issue with the XEN-2.6.18 really looks like a
> kernel bug to me now. You need to "rmmod ipip" *AND* "rmmod tunnel4",
> then "modprobe ipip". After this, do "ip link set dev tunl0 up" and the
> proc file exists. If you do not rmmod tunnel4 first, you need the
> additional "ip addr add 0.0.0.0/32 dev tunl0". Which is illegal to some
> extent too. I would simply mention that in the readme, e.g.
That sounds like a bug.
 
> <readme>
> 
> For the SmartGW server, the implicit tunl0 interface is used to forward
> incoming packets from SmartGW clients to the internet route. With
> kernel-2.6, this is protected by the rp_filter. Note, that at least with
> RedHat kernel 2.6.18, the net.ipv4.conf.tunl0.rp_filter sysctl file is not
> present after loading the "ipip" kernel module, which prevents OLSRD from
> switching off the filter. As a workaround, add a "ip addr add 0.0.0.0/32
> dev tunl0" after the "modprobe ipip" line in your OLSRD startup script.
> 
> While the SmartGW function does a fine job on stand-alone PCs, system
> builders should keep in mind the following facts when setting up routing,
> firewalls and gateways:
> 
> a) The SmartGW tunnel communicates asymmetrically. An IP packet destinned
> to an Internet server is sent via the IPIP tunnel but returned via the
> standard OLSRD host route.
> 
> b) On the SmartGW server, you should double check your firewall rules and
> rp_filter defaults. While it's normally not possible to simply encap e.g.
> a "telnet 127.0.0.1" into IPIP and sent that to the SmartGW server, your
> specific configuration may open up other attack vectors for an intruder.
> 
> c) Do not forget to un-firewall tunl0->internet and (if required to
> NAT/MASQUERADE) this communication path.
> 
> d) For the stand-alone client (Notebook user running OLSRD in order to
> browse) the lowered IPIP tunnel MTU is no problem. If you do proxy
> routing, e.g. for attached LAN clients without OLSRD, you may want
> MSS-clamping for the tunnel interface created by OLSRD. This may require a
> background job monitoring tunnel interfaces, because OLSRD uses an
> arbitrary name for the interface.
> 
> </readme>
Shall we add this to the README-OLSR-Extensions file ?

> I'm still no IPv6 expert, but the ip6tnl0 device needs rp_filter handling
> too?
I'm not sure if the ipv6 tunnels have an rp_filter, but I will check it this 
evening.

Henning Rogge

-- 
Diplom-Informatiker Henning Rogge , Fraunhofer-Institut für
Kommunikation, Informationsverarbeitung und Ergonomie FKIE
Kommunikationssysteme (KOM)
Neuenahrer Straße 20, 53343 Wachtberg, Germany
Telefon +49 228 9435-961,   Fax +49 228 9435 685
mailto:(spam-protected) http://www.fkie.fraunhofer.de
GPG: E1C6 0914 490B 3909 D944 F80D 4487 C67C 55EC CFE0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-dev/attachments/20100428/dd9bba0c/attachment.sig>