On Monday 16 May 2016 19:05:26 Andrei Palade wrote:
I installed batman-adv on 4-Raspberry Pi Model 3, and I now want to emulate an out of reach situation. Instead of physically moving the PIs into another room, I want to use some mechanism that will do this for me. I ran the following command on node D:
ip6tables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
This is the wrong layer. What you are now doing is to add a layer 3 firewall based on layer 2 addresses. The batman-adv stuff happens in completely different layers/headers because batman-adv encapsulates the traffic in its own headers.
So batman-adv is below this IPv6 firewall and thus the firewall never sees the packet on the intermediate node. The mac address you used here is the one directly below the the IPv6 header and has nothing to do with batman-adv. And this address will not change when batman-adv forwards packets. So your rule will drop any IPv6 packet from XX:XX:XX:XX:XX:XX independent of the path it took to reach this node.
But your rule doesn't block any batman-adv traffic (OGM, ELP, ...) because these are all send as ethernet frames (layer 2). But what you want in your test setup to filter these messages
Did I approached this correctly?
Unfortunately, this is not correct. You have to modify the layer below batman-adv. So for example add an ebtables rule on a "wrapper" bridge only containing your original ethernet/wifi interface which is then added to batman-adv as interface (this may require some tinkering with the wifi driver to allow adding of a wifi interface to a bridge - search for IFF_DONT_BRIDGE). Or you should look if your ethernet/wifi driver allows mac filters. This is not the first time this was asked. Here some example search terms:
* http://search.gmane.org/?query=ebtables&author=&group=gmane.org.frei... * http://search.gmane.org/?query=force+topology&author=&group=gmane.or... * http://search.gmane.org/?query=blocking+ogm&author=&group=gmane.org....
You could also try to use netem + ingress TC filters. Ingress shaping is a little bit tricky but there are examples available which use ifb to map ingress to the ifb interface's egress (which then can be used like normally).
* https://serverfault.com/questions/350023/tc-ingress-policing-and-ifb-mirrori... * http://tdistler.com/2011/06/10/netem-wan-emulation-how-to-setup-a-netem-box * http://andthatsjazz.org/lartc/mac.html
Basically what I want to do is from A, B, C, D, to be able to route packages from A to D through C, instead of physically moving D out of reach of A. How do I do this, and how can I check if it works?
You have to check via `batctl o` or `batctl ping -R ...` to find out over which neighbor the target is reachable.
Kind regards, Sven