Hi all, I'm tring to make some tests on batman-adv with some stations, but I'm in trouble since I'm not able to "hide" a node to another. In other words I would like to create some personalized topologies to to test batman against them.
To do this, first of all, I should block OGMs from a particular station. I tried with ebtables in order to block all the packets with source MACa (where MACa is the MAC address of the station I would prevent to communicate with me), but I failed.
Does anyone know a working way to do what I described before?
Thank you so much!
Regards
Hi,
welcome on our list! :-)
To do this, first of all, I should block OGMs from a particular station. I tried with ebtables in order to block all the packets with source MACa (where MACa is the MAC address of the station I would prevent to communicate with me), but I failed.
Does anyone know a working way to do what I described before?
I think it would be easier to help you, if described in more detail what exactly you tried so far and why it was not successful. Please give us all the settings & commands involved otherwise we have to guess what is going on.
Cheers, Marek
Hi,
On lun, mag 10, 2010 at 01:47:58 +0800, Marek Lindner wrote:
Hi,
welcome on our list! :-)
Thank you! :)
To do this, first of all, I should block OGMs from a particular station. I tried with ebtables in order to block all the packets with source MACa (where MACa is the MAC address of the station I would prevent to communicate with me), but I failed.
Does anyone know a working way to do what I described before?
I think it would be easier to help you, if described in more detail what exactly you tried so far and why it was not successful. Please give us all the settings & commands involved otherwise we have to guess what is going on.
Ok, I'm going to list all the commands I used. First of all, I'm using the svn version of batman-adv, in order to be up to date. The topology, actually, is a simple adhoc net between two hosts.
What I did is: inserting the module, activating the if and adding the phy if to bat0: # insmod batman-adv.ko # ifconfig bat0 up # batctl if add wlan0
Then I tried to block any kind of packets from a known mac (say MACa).
# ebtables -A INPUT -s MACa -j DROP
After this I checked with "battctl o" if I was still able to see the other host, and even waiting a few minutes, the host was still in the list.
What am I missing? I tried also using the FORWARD chain of ebtables, and also adding more constraints on the filer, but it didn't help.
I hope to have explained it clearly.
Regards Antonio
Hi Antonio,
Then I tried to block any kind of packets from a known mac (say MACa).
# ebtables -A INPUT -s MACa -j DROP
After this I checked with "battctl o" if I was still able to see the other host, and even waiting a few minutes, the host was still in the list.
I tried it on two routers with ebtables and iptables here, too. I fired away all (redundant and like the forwarding stuff usually even useless) commands that came to my mind that could possibly block ANY traffic at all: --- ebtables -A INPUT -j DROP ebtables -A OUTPUT -j DROP ebtables -A FORWARD -j DROP ebtables -t broute -A BROUTING -j DROP ebtables -t nat -A PREROUTING -j DROP iptables -I INPUT -m physdev --physdev-is-in -j DROP iptables -I OUDPUT -m physdev --physdev-is-out -j DROP iptables -I FORWARD -m physdev --physdev-is-brigded -j DROP --- Of course, no ssh connection and stuff like that and basically no other communication got through... despite batman-adv's OGMs and batping packets, looking at that over a serial console! So it looks like batman-adv is getting hold of the OGMs before any filtering rules of the iptables/ebtables modules can get hold of them.
Additionally, the iptables/ebtables packet counts didn't seem to recognise any packets.
So it looks like either this is intended and batman-adv is also a very stealthy super-trojan (but couldn't find any proof for this in the source code yet ;) ) or batman-adv is just mistakenly catching them (and maybe even dropping them although the skb-copy should prevent this?) before the kernel or any other (filtering) kernel modules could have a glance at them.
I'm sorry having said that this should work on IRC before, but filtering (even bridged) arp/ip-packets over bat0 works like a charm - hadn't tried filtering raw batman-adv ethernet frames yet.
Cheers, Linus ___________________________________________________________ GRATIS: Movie-Flat mit über 300 Top-Videos. Für WEB.DE Nutzer dauerhaft kostenlos! Jetzt freischalten unter http://movieflat.web.de
Hi Linus,
thank you for your time spent on my problem :)
The problem seems to be that iptables filters only packets that are sent to IP layer and over..so any packet intended for a protocol living on a layer lower than IP is not recognized (e.g. batman frame).
Ebtables instead works only on eth bridges...I tried it because I thought that bat0 was acting like a bridge indeed but this is not the case...The only solution I thought could be this: create a bridge-if br0, attach wlan0 to it and then attach br0 to bat0 and then you could let ebtables work between wlan0 and br0....maybe it could work... But attaching a wlan-if to a eth-bridge-if is not actually possible.
So it seems that batman-adv is too clever for us :P
Regards,
On Wed, 12 May 2010 23:02:50 +0200 (CEST), Linus Lüssing linus.luessing@web.de wrote:
Hi Antonio,
Then I tried to block any kind of packets from a known mac (say MACa).
# ebtables -A INPUT -s MACa -j DROP
After this I checked with "battctl o" if I was still able to see the other host, and even waiting a few minutes, the host was still in the list.
I tried it on two routers with ebtables and iptables here, too. I fired away all (redundant and like the forwarding stuff usually even useless) commands that came to my mind that could possibly block ANY traffic at
all:
ebtables -A INPUT -j DROP ebtables -A OUTPUT -j DROP ebtables -A FORWARD -j DROP ebtables -t broute -A BROUTING -j DROP ebtables -t nat -A PREROUTING -j DROP iptables -I INPUT -m physdev --physdev-is-in -j DROP iptables -I OUDPUT -m physdev --physdev-is-out -j DROP iptables -I FORWARD -m physdev --physdev-is-brigded -j DROP
Of course, no ssh connection and stuff like that and basically no other communication got through... despite batman-adv's OGMs and batping
packets,
looking at that over a serial console! So it looks like batman-adv is getting hold of the OGMs before any filtering rules of the iptables/ebtables modules can get hold of them.
Additionally, the iptables/ebtables packet counts didn't seem to
recognise
any packets.
So it looks like either this is intended and batman-adv is also a very stealthy super-trojan (but couldn't find any proof for this in the
source
code yet ;) ) or batman-adv is just mistakenly catching them (and maybe even dropping them although the skb-copy should prevent this?) before
the
kernel or any other (filtering) kernel modules could have a glance at
them.
I'm sorry having said that this should work on IRC before, but filtering (even bridged) arp/ip-packets over bat0 works like a charm - hadn't
tried
filtering raw batman-adv ethernet frames yet.
Cheers, Linus ___________________________________________________________ GRATIS: Movie-Flat mit über 300 Top-Videos. Für WEB.DE Nutzer dauerhaft kostenlos! Jetzt freischalten unter http://movieflat.web.de
Hey,
The problem seems to be that iptables filters only packets that are sent to IP layer and over..so any packet intended for a protocol living on a layer lower than IP is not recognized (e.g. batman frame).
I'd say you are right here.
Ebtables instead works only on eth bridges...I tried it because I thought that bat0 was acting like a bridge indeed but this is not the case...The only solution I thought could be this: create a bridge-if br0, attach wlan0 to it and then attach br0 to bat0 and then you could let ebtables work between wlan0 and br0....maybe it could work... But attaching a wlan-if to a eth-bridge-if is not actually possible.
At the WCW we sat together to discuss the issue. The easiest thing to test would be this: You create a bridge "br0" and add the wifi interface batman usually runs on (e.g. wlan0). Then you configure batman-adv to run on the bridge instead on wlan0 directly (batctl if add br0). Since the packets travel through the bridge interface first, it might be possible to drop them there.
Be sure to create an individual bridge interface for each wifi interface you want to run batman-adv on. The purpose of the bridge interface is to allow packet filtering, not to bridge interfaces.
Please let us know how it goes. :-)
Cheers, Marek
Hi!
On lun, mag 17, 2010 at 03:37:44 +0800, Marek Lindner wrote:
Hey,
The problem seems to be that iptables filters only packets that are sent to IP layer and over..so any packet intended for a protocol living on a layer lower than IP is not recognized (e.g. batman frame).
I'd say you are right here.
Ebtables instead works only on eth bridges...I tried it because I thought that bat0 was acting like a bridge indeed but this is not the case...The only solution I thought could be this: create a bridge-if br0, attach wlan0 to it and then attach br0 to bat0 and then you could let ebtables work between wlan0 and br0....maybe it could work... But attaching a wlan-if to a eth-bridge-if is not actually possible.
At the WCW we sat together to discuss the issue. The easiest thing to test would be this: You create a bridge "br0" and add the wifi interface batman usually runs on (e.g. wlan0). Then you configure batman-adv to run on the bridge instead on wlan0 directly (batctl if add br0). Since the packets travel through the bridge interface first, it might be possible to drop them there.
It is what i described just a few rows before..the problem is that adding wlan0 interface to a eth-bridge (using cfg80211 driver) is not possible (due to operation not permitted error, probably because devs don't want to do that :P) either with iwlagn or rt2x00
:(:(:(
Be sure to create an individual bridge interface for each wifi interface you want to run batman-adv on. The purpose of the bridge interface is to allow packet filtering, not to bridge interfaces.
Please let us know how it goes. :-)
Cheers, Marek
Regards
On Monday 17 May 2010 05:27:55 Antonio Quartulli wrote:
It is what i described just a few rows before..the problem is that adding wlan0 interface to a eth-bridge (using cfg80211 driver) is not possible (due to operation not permitted error, probably because devs don't want to do that :P) either with iwlagn or rt2x00
Ok, I did not quite get that the first time but it seems you are right: The wifi stack sets IFF_DONT_BRIDGE on any wifi interface in adhoc or station mode to keep it from being added to a bridge. Normally, this would be a very correct behaviour ..
Then we have to add ebtables support by calling some ebtables hooks that will tell us whether or not to drop the packet ? Is that possible (I'm not the ebtables expert here) ? :-)
Cheers, Marek
On lun, mag 17, 2010 at 06:53:01 +0800, Marek Lindner wrote:
On Monday 17 May 2010 05:27:55 Antonio Quartulli wrote:
It is what i described just a few rows before..the problem is that adding wlan0 interface to a eth-bridge (using cfg80211 driver) is not possible (due to operation not permitted error, probably because devs don't want to do that :P) either with iwlagn or rt2x00
Ok, I did not quite get that the first time but it seems you are right: The wifi stack sets IFF_DONT_BRIDGE on any wifi interface in adhoc or station mode to keep it from being added to a bridge. Normally, this would be a very correct behaviour ..
Then we have to add ebtables support by calling some ebtables hooks that will tell us whether or not to drop the packet ? Is that possible (I'm not the ebtables expert here) ? :-)
I'm not an expert too :P But it would be very nice, in this way bat0 could be controlled like a bridge.
Thanks.
Cheers, Marek
batman-adv is receiving and sending the packets of its own ether type on a very early/low level. Therefore we need to add explicit hooks to give netfilter/ebtables a chance to filter them.
Signed-off-by: Linus Lüssing linus.luessing@web.de Reported-by: Antonio Quartulli ordex@ritirata.org --- batman-adv-kernelland/hard-interface.c | 17 +++++++++++++++-- batman-adv-kernelland/send.c | 8 ++++++-- 2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/batman-adv-kernelland/hard-interface.c b/batman-adv-kernelland/hard-interface.c index cc7fbae..6a64930 100644 --- a/batman-adv-kernelland/hard-interface.c +++ b/batman-adv-kernelland/hard-interface.c @@ -28,9 +28,11 @@ #include "bat_sysfs.h" #include "originator.h" #include "hash.h" -#include "compat.h"
#include <linux/if_arp.h> +#include <linux/netfilter_bridge.h> + +#include "compat.h"
#define MIN(x, y) ((x) < (y) ? (x) : (y))
@@ -433,6 +435,11 @@ out: return NOTIFY_DONE; }
+int batman_skb_recv_finish(struct sk_buff *skb) +{ + return NF_ACCEPT; +} + /* receive a packet with the batman ethertype coming on a hard * interface */ int batman_skb_recv(struct sk_buff *skb, struct net_device *dev, @@ -452,6 +459,13 @@ int batman_skb_recv(struct sk_buff *skb, struct net_device *dev, if (atomic_read(&module_state) != MODULE_ACTIVE) goto err_free;
+ /* if netfilter/ebtables wants to block incoming batman + * packets then give them a chance to do so here */ + ret = NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, dev, NULL, + batman_skb_recv_finish); + if (ret != 1) + goto err_out; + /* packet should hold at least type and version */ if (unlikely(skb_headlen(skb) < 2)) goto err_free; @@ -531,7 +545,6 @@ err_out: return NET_RX_DROP; }
- struct notifier_block hard_if_notifier = { .notifier_call = hard_if_event, }; diff --git a/batman-adv-kernelland/send.c b/batman-adv-kernelland/send.c index 99d11fe..b0d3627 100644 --- a/batman-adv-kernelland/send.c +++ b/batman-adv-kernelland/send.c @@ -29,6 +29,7 @@ #include "vis.h" #include "aggregation.h" #include "gateway_common.h" +#include <linux/netfilter_bridge.h>
#include "compat.h"
@@ -93,9 +94,12 @@ int send_skb_packet(struct sk_buff *skb,
/* dev_queue_xmit() returns a negative result on error. However on * congestion and traffic shaping, it drops and returns NET_XMIT_DROP - * (which is > 0). This will not be treated as an error. */ + * (which is > 0). This will not be treated as an error. + * Also, if netfilter/ebtables wants to block outgoing batman + * packets then giving them a chance to do so here */
- return dev_queue_xmit(skb); + return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, + dev_queue_xmit); send_skb_err: kfree_skb(skb); return NET_XMIT_DROP;
Hi all,
On Wed, May 19, 2010 at 03:25:49AM +0200, Linus Lüssing wrote:
batman-adv is receiving and sending the packets of its own ether type on a very early/low level. Therefore we need to add explicit hooks to give netfilter/ebtables a chance to filter them.
Signed-off-by: Linus Lüssing linus.luessing@web.de Reported-by: Antonio Quartulli ordex@ritirata.org
batman-adv-kernelland/hard-interface.c | 17 +++++++++++++++-- batman-adv-kernelland/send.c | 8 ++++++-- 2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/batman-adv-kernelland/hard-interface.c b/batman-adv-kernelland/hard-interface.c index cc7fbae..6a64930 100644 --- a/batman-adv-kernelland/hard-interface.c +++ b/batman-adv-kernelland/hard-interface.c @@ -28,9 +28,11 @@ #include "bat_sysfs.h" #include "originator.h" #include "hash.h" -#include "compat.h"
#include <linux/if_arp.h> +#include <linux/netfilter_bridge.h>
+#include "compat.h"
#define MIN(x, y) ((x) < (y) ? (x) : (y))
@@ -433,6 +435,11 @@ out: return NOTIFY_DONE; }
+int batman_skb_recv_finish(struct sk_buff *skb) +{
- return NF_ACCEPT;
+}
/* receive a packet with the batman ethertype coming on a hard
- interface */
int batman_skb_recv(struct sk_buff *skb, struct net_device *dev, @@ -452,6 +459,13 @@ int batman_skb_recv(struct sk_buff *skb, struct net_device *dev, if (atomic_read(&module_state) != MODULE_ACTIVE) goto err_free;
- /* if netfilter/ebtables wants to block incoming batman
* packets then give them a chance to do so here */- ret = NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, dev, NULL,
batman_skb_recv_finish);- if (ret != 1)
goto err_out;- /* packet should hold at least type and version */ if (unlikely(skb_headlen(skb) < 2)) goto err_free;
@@ -531,7 +545,6 @@ err_out: return NET_RX_DROP; }
struct notifier_block hard_if_notifier = { .notifier_call = hard_if_event, }; diff --git a/batman-adv-kernelland/send.c b/batman-adv-kernelland/send.c index 99d11fe..b0d3627 100644 --- a/batman-adv-kernelland/send.c +++ b/batman-adv-kernelland/send.c @@ -29,6 +29,7 @@ #include "vis.h" #include "aggregation.h" #include "gateway_common.h" +#include <linux/netfilter_bridge.h>
#include "compat.h"
@@ -93,9 +94,12 @@ int send_skb_packet(struct sk_buff *skb,
/* dev_queue_xmit() returns a negative result on error. However on * congestion and traffic shaping, it drops and returns NET_XMIT_DROP
* (which is > 0). This will not be treated as an error. */
* (which is > 0). This will not be treated as an error.* Also, if netfilter/ebtables wants to block outgoing batman* packets then giving them a chance to do so here */
- return dev_queue_xmit(skb);
- return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
dev_queue_xmit);send_skb_err: kfree_skb(skb); return NET_XMIT_DROP; -- 1.5.6.5
I gave a try to this patch, but I see something strange. After enabling a simple ebtables rule: ebtables -A INPUT -s MAC -j DROP and ebtables -A FORWARD -s MAC -j DROP (to be sure..)
I saw that batman ping was timing out, while the "originator list" (shown with batctl o) is still filled with the other node entry...
I did something wrong?
Regards
I gave a try to this patch, but I see something strange. After enabling a simple ebtables rule: ebtables -A INPUT -s MAC -j DROP and ebtables -A FORWARD -s MAC -j DROP (to be sure..)
I saw that batman ping was timing out, while the "originator list" (shown with batctl o) is still filled with the other node entry...
Hi Antonio,
thanks for trying the patch! In my case, it worked, I tried it with ebtables -I INPUT -s MAC -j DROP or ebtables -I INPUT -p 0x4305 -j DROP (and the same for -I OUTPUT)
batctl td reported, that it's not receiving any batman packets anymore and also the originator table was empty after a couple of minutes.
Hmm, and also that batping is timing out for you seems to indicate that it should work on your side. Could you check with batctl td too? How long have you been waiting for the originator table to clear? (dead nodes are not being cleared immediately in batman, as they don't harm the routing decisions and we still need the last measurements in case they might get alive again)
Cheers, Linus ___________________________________________________________ NEU: WEB.DE DSL für 19,99 EUR/mtl. und ohne Mindest-Laufzeit! http://produkte.web.de/go/02/
On ven, mag 21, 2010 at 12:17:28 +0200, Linus Lüssing wrote:
I gave a try to this patch, but I see something strange. After enabling a simple ebtables rule: ebtables -A INPUT -s MAC -j DROP and ebtables -A FORWARD -s MAC -j DROP (to be sure..)
I saw that batman ping was timing out, while the "originator list" (shown with batctl o) is still filled with the other node entry...
Hi Antonio,
thanks for trying the patch! In my case, it worked, I tried it with ebtables -I INPUT -s MAC -j DROP or ebtables -I INPUT -p 0x4305 -j DROP (and the same for -I OUTPUT)
batctl td reported, that it's not receiving any batman packets anymore and also the originator table was empty after a couple of minutes.
Hmm, and also that batping is timing out for you seems to indicate that it should work on your side. Could you check with batctl td too? How long have you been waiting for the originator table to clear? (dead nodes are not being cleared immediately in batman, as they don't harm the routing decisions and we still need the last measurements in case they might get alive again)
Cheers, Linus
Hi Linus, I thought that the dead node should be pushed away after a while, not 3 minutes. So that was my mistake...indeed everything was working correctly!
I tried it again five minutes ago, and everything went as I expected!
Thanks very much!
Regards
P.S. batctl td was not so usefull since I have to point it to wlan0..and obviously I can see all the packets there.
Hey,
I thought that the dead node should be pushed away after a while, not 3 minutes. So that was my mistake...indeed everything was working correctly!
I tried it again five minutes ago, and everything went as I expected!
I just pushed the patch (revision 1678). Thanks for bringing it up and thanks to Linus for fixing it.
Cheers, Marek
Hi Linus, I thought that the dead node should be pushed away after a while, not 3 minutes. So that was my mistake...indeed everything was working correctly!
I tried it again five minutes ago, and everything went as I expected!
Thanks very much!
Great! You're welcome :). Feel free to share any interesting tests and results with this manual, explicit filtering capabilities.
P.S. batctl td was not so usefull since I have to point it to wlan0..and obviously I can see all the packets there.
Usually I my self am using "batctl td" in conjunction with grep. For instance I'm having an interface which is nearly only having batman-adv traffic. I'm also usuallly not deactivating IPv6 so I get some annoying extra packets in batctl td - but I can easily get rid of this with " batctl td | grep -v "Warning" ". '-v' is pretty handy to throw out undesired lines from the output.
Cheers, Linus
-- Antonio Quartulli
Ognuno di noi, da solo, non vale nulla Ernesto "Che" Guevara
___________________________________________________________ NEU: WEB.DE DSL für 19,99 EUR/mtl. und ohne Mindest-Laufzeit! http://produkte.web.de/go/02/
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
Linus Lüssing -
Marek Lindner