Re: [PATCH maint v2 2/4] batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN

[Simon Wunderlich <sw@simonwunderlich.de>]

[-- Attachment #1: Type: text/plain, Size: 3822 bytes --]

On Friday, September 4, 2020 8:28:01 PM CEST Linus Lüssing wrote:
> Scenario:
> * Multicast frame send from a BLA backbone (multiple nodes with
>   their bat0 bridged together, with BLA enabled)
> 
> Issue:
> * BLA backbone nodes receive the frame multiple times on bat0
> 
> For multicast frames received via batman-adv broadcast packets the
> originator of the broadcast packet is checked before decapsulating and
> forwarding the frame to bat0 (batadv_bla_is_backbone_gw()->
> batadv_recv_bcast_packet()). If it came from a node which shares the
> same BLA backbone with us then it is not forwarded to bat0 to avoid a
> loop.
> 
> When sending a multicast frame in a non-4-address batman-adv unicast
> packet we are currently missing this check - and cannot do so because
> the batman-adv unicast packet has no originator address field.
> 
> However, we can simply fix this on the sender side by only sending the
> multicast frame via unicasts to interested nodes which do not share the
> same BLA backbone with us. This also nicely avoids some unnecessary
> transmissions on mesh side.
> 
> Note that no infinite loop was observed, probably because of dropping
> via batadv_interface_tx()->batadv_bla_tx(). However the duplicates still
> utterly confuse switches/bridges, ICMPv6 duplicate address detection and
> neighbor discovery and therefore leads to long delays before being able
> to establish TCP connections, for instance. And it also leads to the Linux
> bridge printing messages like:
> "br-lan: received packet on eth1 with own address as source address ..."
> 
> Fixes: 405cc1e5a81e ("batman-adv: Modified forwarding behaviour for
> multicast packets") Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
> ---
>  net/batman-adv/send.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c
> index d267b948..67f493c0 100644
> --- a/net/batman-adv/send.c
> +++ b/net/batman-adv/send.c
> @@ -29,6 +29,7 @@
>  #include <linux/stddef.h>
>  #include <linux/workqueue.h>
> 
> +#include "bridge_loop_avoidance.h"
>  #include "distributed-arp-table.h"
>  #include "fragmentation.h"
>  #include "gateway_client.h"
> @@ -343,6 +344,18 @@ int batadv_send_skb_unicast(struct batadv_priv
> *bat_priv, if (!orig_node)
>  		goto out;
> 
> +	/* Avoid sending multicast-in-unicast packets to other BLA
> +	 * gateways - they already got the frame from the LAN side
> +	 * we share with them.
> +	 * TODO: Refactor multicast code to anticipate this, to
> +	 * avoid this check here.
> +	 */
> +	if (is_multicast_ether_addr(eth_hdr(skb)->h_dest) &&
> +	    batadv_bla_is_backbone_gw_orig(bat_priv, orig_node->orig, vid)) {
> +		dev_kfree_skb(skb);
> +		return NET_XMIT_SUCCESS;
> +	}
> +

Would it make sense to perform this check in the BATADV_UNICAST case, without 
checking the ethernet destination for multicast?

A backbone gateway should never send a unicast frame to another backbone 
gateway, regardless of multicast or not - those things should go over the 
backbone either way.

For 4addr unicasts, I see two cases: TT Unicasts could be dropped in the same 
way, as TT is ignored between backbone gateways. For DAT, there is currently 
no specific BLA handling for the unicast handling as far as I see, there are 
only some checks to make sure that ARP replies coming out of the correct 
backbone gateway. Since DAT is "best effort" and requests may get dropped, it's 
probably safe to drop this too.

That would allow us to use the same check as you have here, but dropping the 
check multicast ethernet address check.

Cheers,
       Simon

>  	switch (packet_type) {
>  	case BATADV_UNICAST:
>  		if (!batadv_send_skb_prepare_unicast(skb, orig_node))


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]