Re: [B.A.T.M.A.N.] Node movement

Re: [B.A.T.M.A.N.] Node movement

[Sven Eckelmann]

[-- Attachment #1: Type: text/plain, Size: 3059 bytes --]

On Monday 16 May 2016 19:05:26 Andrei Palade wrote:
> I installed batman-adv on 4-Raspberry Pi Model 3, and I now want to
> emulate an out of reach situation. Instead of physically moving the
> PIs into another room, I want to use some mechanism that will do this
> for me. I ran the following command on node D:
> 
> ip6tables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

This is the wrong layer. What you are now doing is to add a layer 3 firewall
based on layer 2 addresses. The batman-adv stuff happens in completely
different layers/headers because batman-adv encapsulates the traffic in its own
headers.

So batman-adv is below this IPv6 firewall and thus the firewall never sees
the packet on the intermediate node. The mac address you used here is the one
directly below the the IPv6 header and has nothing to do with batman-adv. And
this address will not change when batman-adv forwards packets. So your rule
will drop any IPv6 packet from XX:XX:XX:XX:XX:XX independent of the path
it took to reach this node.

But your rule doesn't block any batman-adv traffic (OGM, ELP, ...) because
these are all send as ethernet frames (layer 2). But what you want in your
test setup to filter these messages

> Did I approached this correctly?

Unfortunately, this is not correct. You have to modify the layer below
batman-adv. So for example add an ebtables rule on a "wrapper" bridge only
containing your original ethernet/wifi interface which is then added to
batman-adv as interface (this may require some tinkering with the wifi driver
to allow adding of a wifi interface to a bridge - search for IFF_DONT_BRIDGE).
Or you should look if your ethernet/wifi driver allows mac filters. This is
not the first time this was asked. Here some example search terms:

 * http://search.gmane.org/?query=ebtables&author=&group=gmane.org.freifunk.batman&sort=relevance&DEFAULTOP=and&%5B=1&TOPDOC=30&xP=Zebtabl&xFILTERS=Gorg.freifunk.batman---A
 * http://search.gmane.org/?query=force+topology&author=&group=gmane.org.freifunk.batman&sort=relevance&DEFAULTOP=and&xP=Zebtabl&xFILTERS=Gorg.freifunk.batman---A
 * http://search.gmane.org/?query=blocking+ogm&author=&group=gmane.org.freifunk.batman&sort=relevance&DEFAULTOP=and&xP=Zfilter%09Zogm&xFILTERS=Gorg.freifunk.batman---A

You could also try to use netem + ingress TC filters. Ingress shaping is a
little bit tricky but there are examples available which use ifb to map
ingress to the ifb interface's egress (which then can be used like
normally).

 * https://serverfault.com/questions/350023/tc-ingress-policing-and-ifb-mirroring#386791
 * http://tdistler.com/2011/06/10/netem-wan-emulation-how-to-setup-a-netem-box
 * http://andthatsjazz.org/lartc/mac.html

> Basically what I want to do is from
> A, B, C, D, to be able to route packages from A to D through C,
> instead of physically moving D out of reach of A. How do I do this,
> and how can I check if it works?

You have to check via `batctl o` or `batctl ping -R ...` to find out over
which neighbor the target is reachable.

Kind regards,
	Sven

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 819 bytes --]