-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gluon-mesh-batman-adv-brmldproxy: add package #2995
base: main
Are you sure you want to change the base?
Conversation
f8c26e7
to
f1ff246
Compare
Changelog v2:
|
Changelog v3:
|
Regarding the batman-adv patch: I think this a patch which could be integrated in upstream when the real world effects are verified/tested in actual setups. |
As discussed during the Gluon meeting back then it would be great to gather a bit of real world experiences with it. I've now prepared some packages with all the upcoming batman-adv / Gluon multicast features integrated into Gluon package feeds. So far tested on VMs only, but real hardware tests coming up next. It should be enough to just add it to your site/modules file and update all nodes with it. Should compile+run for Gluon v2021.1.x, Gluon v2023.1 and Gluon master: https://github.com/T-X/gluon-batman-adv-next/ If any community would be interested in testing IPv6 multicast routing between communities (on their own Gluon domains), let me know. |
With the last firmware update at Freifunk Lübeck the latest gluon-batman-adv-next package feed was rolled out, with brmldproxy integration and the latest batman-adv release (v2024.0). So far we didn't notice any issues/regressions. Haven't found a second community to test an IPv6 multicast router (pim6sd) on a Gluon based network with, but with using mrdisc (https://github.com/troglobit/mrdisc) on one wifi client I can see the MLD reports for (mostly) routable multicast addresses arriving on the local Gluon node from other nodes in tcpdump. And when stopping mrdisc, I don't see these MLD reports anymore. So to me seems to work as expected/intended on a real setup. |
This package is currently incompatible with a | ||
filter_membership_reports=true site.conf option. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs/package/gluon-mesh-batman-adv-brmldproxy.rst says differently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will fix this, thanks!
Two more notes / observations thanks to @ecsv :
Unfortunately, with the current
(Not quite sure how to fix that. Would I need to implement a new need_value() variant?)
However I forgot to implement to dynamically generate gluon-mesh-batman-adv-brmldproxy/files/etc/config/brmldproxy then from the Gluon Lua update scripts, with "list excludefilter 'ff02::/ff0f::'" removed in that "filter_membership_reports=false" case. Will fix that. With "filter_membership_reports" not set in a site.conf I'd assume that people want to have the behaviour which Gluon maintainers would suggest for most cases. Which in my opinion would be, and what is currently implemented, to have brmldproxy installed by default. With MLD reports only forwarded if a client listening to routeable multicast addresses and an IPv6 multicast router is present. |
c8d3fcc
to
0858812
Compare
0858812
to
cf37b5d
Compare
Changelog v4:
The bpfcountd concept has now also successfully been tested between Freifunk Lübeck and a domain at Freifunk Vogtland. With pim6sd and bpfcountd multicast audio could be transmitted on one and listened to in the other Gluon site/domain. |
package/features
Outdated
@@ -38,6 +38,7 @@ when(_'web-advanced' and _'autoupdater', { | |||
|
|||
when(_'mesh-batman-adv-15', { | |||
'gluon-ebtables-limit-arp', | |||
'gluon-mesh-batman-adv-brmldproxy', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the feature should be included by default.
|
||
[ "$(gluon-show-site | jsonfilter -e "@.mesh.filter_membership_reports")" = "false" ] && exit 0 | ||
|
||
[ -x /etc/init.d/brmldproxy ] && /etc/init.d/brmldproxy enabled && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- There is no need to check for the executability,
gluon-mesh-batman-adv-brmldproxy
depends onbrmldproxy
- There is no need to check for the
enabled
status (on Gluon, all installed services are always enabled; disabling is not preserved on ugprades, so it is not supported). If disabling should be possible, a/etc/config/gluon
flag must be introduced.
|
||
([ "$INTERFACE" != "bat0" ] || [ "$ACTION" != "ifup" ]) && exit 0 | ||
|
||
[ "$(gluon-show-site | jsonfilter -e "@.mesh.filter_membership_reports")" = "false" ] && exit 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Printing the whole site and then filtering it is inefficient. You can copy the lookup_site
helper from package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh
.
@@ -13,8 +13,4 @@ if site.mesh.filter_membership_reports(true) then | |||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report | |||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done | |||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report | |||
|
|||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these be allowed unconditionally, or only when the feature is enabled?
cf37b5d
to
3895867
Compare
Changelog v5:
|
@T-X have you seen the comments by neocturne? these are without answers, at least as far as i can see |
16c7ac7
to
8245234
Compare
Changelog v6:
|
@rotanid thanks for the comment, but I think all of @neocturne 's previous remarks were addressed in v5 already |
@@ -0,0 +1,37 @@ | |||
#!/bin/sh | |||
|
|||
{ [ "$INTERFACE" != "client" ] || [ "$ACTION" != "ifup" ]; } && exit 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{ [ "$INTERFACE" != "client" ] || [ "$ACTION" != "ifup" ]; } && exit 0 | |
if [ "$INTERFACE" != "client" ] || [ "$ACTION" != "ifup" ]; then exit 0; fi |
@@ -0,0 +1,37 @@ | |||
#!/bin/sh | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
set -e |
lua -e "print(require('gluon.site').$path('$default'))" | ||
} | ||
|
||
[ "$(lookup_site 'mesh.filter_membership_reports' 'true')" = "false" ] && exit 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[ "$(lookup_site 'mesh.filter_membership_reports' 'true')" = "false" ] && exit 0 | |
if [ "$(lookup_site 'mesh.filter_membership_reports' 'true')" = "false" ]; then exit 0; fi |
# => only send report to IPv6 multicast routers | ||
tc filter add dev bat0 parent fffe: protocol ipv6 prio 4221 handle 11: u32 divisor 1 | ||
tc filter add dev bat0 parent fffe: protocol ipv6 prio 4221 u32 ht 11: match u8 131 0xff at 48 match u8 0 0xff at 49 action pedit ex munge eth dst set 33:33:42:4e:f3:14 munge offset 0x30 u16 set 0x6483 action pipe classid 1:1 | ||
tc filter add dev bat0 parent fffe: protocol ipv6 prio 4221 u32 ht 11: match u8 132 0xff at 48 match u8 0 0xff at 49 action pedit ex munge eth dst set 33:33:42:4e:f3:14 munge offset 0x30 u16 set 0x6484 action pipe classid 1:1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe some helpers could be added for the repetitive parts of these commands?
bridge mdb "$1" dev br-client port local-port grp "$BRMLDPROXY_RTR_GROUP" permanent 2> /dev/null | ||
} | ||
|
||
if batctl mcast_flags | grep -q "^Multicast flags (own flags: \[.*R6\.*\]"; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if batctl mcast_flags | grep -q "^Multicast flags (own flags: \[.*R6\.*\]"; then | |
if batctl mcast_flags | grep -q '^Multicast flags (own flags: \[.*R6\.*\]'; then |
Also, maybe the JSON output should be used here?
@@ -0,0 +1,13 @@ | |||
#!/bin/sh | |||
|
|||
BRMLDPROXY_RTR_GROUP="ff12::424e:f314" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add a comment regarding the source of this group address?
Using a group prefix derived from prefix6
(as specified in some RFC) might also be a an alternative.
Now that we have general support for routable IPv6 multicast address in Gluon master thanks to the newer Linux (bridge) and batman-adv versions it becomes more interesting to also support layer 3 IPv6 multicast routers. So far this was also not possible with the default settings in Gluon due to filtering MLD into the mesh. This now adds support for brmldproxy, a daemon which proxies MLD reports between bridge ports. For the Gluon scenario this package adds brmldproxy proxying configuration for the mesh side bat0 bridge port. The configuration is tuned in a way to enable the usage of layer 3 IPv6 multicast routers for routable IPv6 multicast address ranges. But with a lot smaller MLD overhead compared to the filter_membership_reports=false site.conf option. If a node has no multicast listener for a routable IPv6 multicast address then this node will emit no MLD report into the mesh. Furthermore, if a node has multiple multicast listening hosts for routable IPv6 multicast addresses then the node will act in deputy and respond with combined, aggregated MLD reports on behalf. Signed-off-by: Linus Lüssing <[email protected]>
8245234
to
19da4c6
Compare
Changelog v7:
Could not use JSON for the "batctl mcast_flags" check though as the own flags in the reader are not printed in batctl's JSON mode output. |
19da4c6
to
bc4be6d
Compare
bc4be6d
to
64d7ade
Compare
Changelog v8:
|
So far batman-adv flooded all MLD reports. However in our use-case, with the limitations we already have (*) it is safe to send MLD reports to detected multicast routers only. This reduces MLD report overhead even further than brmldproxy alone already does. And in particular results in no MLD reports in the mesh if no multicast router is present. This should, after some more testing from others, potentially make the gluon-mesh-batman-adv-brmldproxy package suitable for being included by default. As overhead downsides should then be negligible. (*): non-Gluon nodes still need to manually set multicast_router=2 on the bat0 bridge port. Signed-off-by: Linus Lüssing <[email protected]>
If there is no multicast router behind a bridge port then the Linux bridge multicast snooping code itself will refrain from forwarding a report, as recommended/required by RFC4541 ("Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches). So these rules are in most cases redundant. On the other hand, removing them allows to actually run an IPv6 multicast router behind a Gluon node. Since OpenWrt 23.05 it will allow detecting multicast routers via Multicast Router Discovery (RFC4286). And removing these ebtables rules will allow a layer 3 multicast router to then receive MLD reports from the mesh properly and by that to learn about others listeners in the mesh. These incoming MLD report filtering rules are only removed when gluon-mesh-batman-adv-brmldproxy is installed, to avoid any other functional changes otherwise. Signed-off-by: Linus Lüssing <[email protected]>
The whole MLD report proxying only works if there is an MLD querier somewhere on the mesh side that actually polls for MLD reports. So far in our tests we configured gateway nodes for the MLD querier job. To ease the MLD querier setup, to avoid needing to enable an MLD querier manually on some gateway(s) this makes use of the new adjustments in brmldproxy that added a bridge interface on top of the proxy dummy interface: If batman-adv detected a multicast router behind one of its local client bridge ports (MRD advertisements are sufficient and recommended) then enable a potential MLD querier candidate, eligible for MLD querier election, automatically on this node towards the mesh side. Signed-off-by: Linus Lüssing <[email protected]>
64d7ade
to
f770514
Compare
Changelog v9:
|
Now that we have general support for routable IPv6 multicast address in Gluon main thanks to the newer Linux (bridge) and batman-adv versions it becomes more interesting to also support layer 3 IPv6 multicast routers.
So far this was also not possible with the default settings in Gluon due to filtering MLD into the mesh. This now adds support for brmldproxy, a daemon which proxies MLD reports between bridge ports.
For the Gluon scenario this package adds brmldproxy proxying configuration for the mesh side bat0 bridge port.
The configuration is tuned in a way to enable the usage of layer 3 IPv6 multicast routers for routable IPv6 multicast address ranges. But with a lot smaller MLD overhead compared to the filter_membership_reports=false site.conf option.
If a node has no multicast listener for a routable IPv6 multicast address then this node will emit no MLD report into the mesh. Furthermore, if a node has multiple multicast listening hosts for routable IPv6 multicast addresses then the node will act in deputy and respond with combined, aggregated MLD reports on behalf.
This package is currently incompatible with a
filter_membership_reports=true site.conf option.
This pull-request requires: freifunk-gluon/packages#264