Message ID | 1440343170-13040-5-git-send-email-linus.luessing@c0d3.blue |
---|---|
State | Accepted |
Headers | show |
Hi Linus, one of these two kernel patches break IPv6 over WiFi completely. https://dev.openwrt.org/changeset/46719 works https://dev.openwrt.org/changeset/46723 is broken with default settings, but works when setting option igmp_snooping 0. symptoms are: "IPv6: wlan0: IPv6 duplicate address fe80::[...] detected!" in the client's kernel log when connecting using WiFi. Connecting through Ethernet (bridged to said WiFi) works as expected though. Since the link-local is marked as dadfailed over WiFi, IPv6 connectivity is completely broken, obviously the DAD failed is a false positive. Router is ar71xx / ath9k. Client is iwlwfi. Let me know if you need more info. Cheers, Steven
Hi Steven,
Thanks for the feedback.
On Sat, Aug 29, 2015 at 04:21:50PM +0200, Steven Barth wrote:
> Let me know if you need more info.
Could you make a tcpdump for ICMPv6 on the wifi of the client?
Please start it before connecting and let it run for about three
minutes after connecting to the wifi.
On the router side, what's the output of:
* /sys/class/net/$bridged-wifi/brport/hairpin
* /sys/class/net/$bridged-wifi/brport/multicast_to_unicast
* /tmp/run/hostapd-*, ap-isolate=...
Cheers, Linus
On Sun, Aug 30, 2015 at 03:49:50PM +0200, Linus Lüssing wrote: > Hi Steven, > > Thanks for the feedback. > > On Sat, Aug 29, 2015 at 04:21:50PM +0200, Steven Barth wrote: > > Let me know if you need more info. > > Could you make a tcpdump for ICMPv6 on the wifi of the client? > Please start it before connecting and let it run for about three > minutes after connecting to the wifi. Ok, I was able to easily reproduce the issue here. Looking at the tcpdump the wifi client receives its own Neighbor Solicitation again, reflected through the bridge-hairpin option. The Linux IPv6 stack seems to interpret the reflected NS as an address collision with another host. It seems a little weird that the Linux kernel does that for NS - I think an IPv6 implementation should only interpret Neighbor Advertisements as address conflicts if I remember the RFCs correctly. My current thought to fix this issue is to patch the multicast-to-unicast patch in the following way: Only transmit multicast-to-unicast'ed packets if the mangled, now unicast MAC destination address differs from the MAC source. We need to think about what'd happen for non-multicast-to-unicast'ed multicast packets which get reflected back to the wifi interface though. This should only happen if a multicast router is on one of the wifi clients / STAs, I think. Will need to check whether the Linux kernel interprets multicast packets without a mangled MAC destination as duplicates, too. Cheers, Linus
PS: Out of curiousity, can someone with deeper knowledge into 802.11 tell me, when an STA sends a multicast packet to its master which then rebroadcasts it at e.g. 1MBit/s, how does the originating STA know that its a rebroadcast of its own frame and refrain from forwarding it internally?
>Ok, I was able to easily reproduce the issue here. Looking at the >tcpdump the wifi client receives its own Neighbor Solicitation >again, reflected through the bridge-hairpin option. Why are we reflecting packets back to the originator anyway? Could it not be excluded? Btw. once we are bit more stable i will try to test how the igmpv3/mldv2 querier / proxy I wrote interacts here (disabling kernel querier).
On Mon, Aug 31, 2015 at 11:29:45AM +0200, Steven Barth wrote: > > > > >Ok, I was able to easily reproduce the issue here. Looking at the > >tcpdump the wifi client receives its own Neighbor Solicitation > >again, reflected through the bridge-hairpin option. > > Why are we reflecting packets back to the originator anyway? Could it not be excluded? Currently the multicast-to-unicast patch reflects it back as it detected that the originator itself is a listener of the multicast group of the Neighbor Solicitation. I had somehow expected that mac80211 would exclude it. But looks like it doesn't. And yes, we can exclude/drop that unicast'ed multicast packet with src==dst on the bridge side already like I said before for a suggested fix. But it's not 100% sufficient yet, we'd have issues again once a multicast router/querier is on an STA. Cheers, Linus > > Btw. once we are bit more stable i will try to test how the igmpv3/mldv2 querier / proxy I wrote interacts here (disabling kernel querier). I'd be interested to hear about that :).
On Mon, Aug 31, 2015 at 12:19:44PM +0200, Linus Lüssing wrote: > I had somehow expected that mac80211 would exclude it. But looks like it > doesn't. Looks like mac80211 on an STA does that for frames with a multicast destination (to prevent getting the own multicast packets echo'd back once the AP rebroadcasts them, I guess). E.g. ap-isolation + bridge-hairpin without multicast-to-unicast works fine. So maybe the simple fix for the multicast-to-unicast patch is sufficient. The unicast-to-multicast patch mangled the destination to a unicast one and mac80211 does not seem to consider their source address. Going to make and try a patch for the bridge now. Cheers, Linus
diff --git a/target/linux/generic/patches-3.18/645-bridge_multicast_to_unicast.patch b/target/linux/generic/patches-3.18/645-bridge_multicast_to_unicast.patch index 00ad14f..e8be1fd 100644 --- a/target/linux/generic/patches-3.18/645-bridge_multicast_to_unicast.patch +++ b/target/linux/generic/patches-3.18/645-bridge_multicast_to_unicast.patch @@ -87,19 +87,16 @@ { struct br_ip br_group; -@@ -736,7 +758,10 @@ static int br_ip6_multicast_add_group(st +@@ -736,7 +758,7 @@ static int br_ip6_multicast_add_group(st br_group.proto = htons(ETH_P_IPV6); br_group.vid = vid; - return br_multicast_add_group(br, port, &br_group); -+ if (ipv6_addr_is_solict_mult(group)) -+ src = NULL; -+ + return br_multicast_add_group(br, port, &br_group, src); } #endif -@@ -965,6 +990,7 @@ static int br_ip4_multicast_igmp3_report +@@ -965,6 +987,7 @@ static int br_ip4_multicast_igmp3_report struct sk_buff *skb, u16 vid) { @@ -107,7 +104,7 @@ struct igmpv3_report *ih; struct igmpv3_grec *grec; int i; -@@ -1008,7 +1034,7 @@ static int br_ip4_multicast_igmp3_report +@@ -1008,7 +1031,7 @@ static int br_ip4_multicast_igmp3_report continue; } @@ -116,7 +113,7 @@ if (err) break; } -@@ -1022,6 +1048,7 @@ static int br_ip6_multicast_mld2_report( +@@ -1022,6 +1045,7 @@ static int br_ip6_multicast_mld2_report( struct sk_buff *skb, u16 vid) { @@ -124,7 +121,7 @@ struct icmp6hdr *icmp6h; struct mld2_grec *grec; int i; -@@ -1070,7 +1097,7 @@ static int br_ip6_multicast_mld2_report( +@@ -1070,7 +1094,7 @@ static int br_ip6_multicast_mld2_report( } err = br_ip6_multicast_add_group(br, port, &grec->grec_mca, @@ -133,7 +130,7 @@ if (err) break; } -@@ -1406,7 +1433,8 @@ br_multicast_leave_group(struct net_brid +@@ -1407,7 +1431,8 @@ br_multicast_leave_group(struct net_brid struct net_bridge_port *port, struct br_ip *group, struct bridge_mcast_other_query *other_query, @@ -143,7 +140,7 @@ { struct net_bridge_mdb_htable *mdb; struct net_bridge_mdb_entry *mp; -@@ -1456,7 +1484,7 @@ br_multicast_leave_group(struct net_brid +@@ -1457,7 +1482,7 @@ br_multicast_leave_group(struct net_brid for (pp = &mp->ports; (p = mlock_dereference(*pp, br)) != NULL; pp = &p->next) { @@ -152,7 +149,7 @@ continue; rcu_assign_pointer(*pp, p->next); -@@ -1490,7 +1518,7 @@ br_multicast_leave_group(struct net_brid +@@ -1491,7 +1516,7 @@ br_multicast_leave_group(struct net_brid for (p = mlock_dereference(mp->ports, br); p != NULL; p = mlock_dereference(p->next, br)) { @@ -161,7 +158,7 @@ continue; if (!hlist_unhashed(&p->mglist) && -@@ -1508,8 +1536,8 @@ out: +@@ -1509,8 +1534,8 @@ out: static void br_ip4_multicast_leave_group(struct net_bridge *br, struct net_bridge_port *port, @@ -172,7 +169,7 @@ { struct br_ip br_group; struct bridge_mcast_own_query *own_query; -@@ -1524,14 +1552,14 @@ static void br_ip4_multicast_leave_group +@@ -1525,14 +1550,14 @@ static void br_ip4_multicast_leave_group br_group.vid = vid; br_multicast_leave_group(br, port, &br_group, &br->ip4_other_query, @@ -189,7 +186,7 @@ { struct br_ip br_group; struct bridge_mcast_own_query *own_query; -@@ -1546,7 +1574,7 @@ static void br_ip6_multicast_leave_group +@@ -1547,7 +1572,7 @@ static void br_ip6_multicast_leave_group br_group.vid = vid; br_multicast_leave_group(br, port, &br_group, &br->ip6_other_query, @@ -198,7 +195,7 @@ } #endif -@@ -1555,6 +1583,7 @@ static int br_multicast_ipv4_rcv(struct +@@ -1556,6 +1581,7 @@ static int br_multicast_ipv4_rcv(struct struct sk_buff *skb, u16 vid) { @@ -206,7 +203,7 @@ struct sk_buff *skb2 = skb; const struct iphdr *iph; struct igmphdr *ih; -@@ -1628,7 +1657,7 @@ static int br_multicast_ipv4_rcv(struct +@@ -1629,7 +1655,7 @@ static int br_multicast_ipv4_rcv(struct case IGMP_HOST_MEMBERSHIP_REPORT: case IGMPV2_HOST_MEMBERSHIP_REPORT: BR_INPUT_SKB_CB(skb)->mrouters_only = 1; @@ -215,7 +212,7 @@ break; case IGMPV3_HOST_MEMBERSHIP_REPORT: err = br_ip4_multicast_igmp3_report(br, port, skb2, vid); -@@ -1637,7 +1666,7 @@ static int br_multicast_ipv4_rcv(struct +@@ -1638,7 +1664,7 @@ static int br_multicast_ipv4_rcv(struct err = br_ip4_multicast_query(br, port, skb2, vid); break; case IGMP_HOST_LEAVE_MESSAGE: @@ -224,7 +221,7 @@ break; } -@@ -1655,6 +1684,7 @@ static int br_multicast_ipv6_rcv(struct +@@ -1656,6 +1682,7 @@ static int br_multicast_ipv6_rcv(struct struct sk_buff *skb, u16 vid) { @@ -232,7 +229,7 @@ struct sk_buff *skb2; const struct ipv6hdr *ip6h; u8 icmp6_type; -@@ -1764,7 +1794,8 @@ static int br_multicast_ipv6_rcv(struct +@@ -1765,7 +1792,8 @@ static int br_multicast_ipv6_rcv(struct } mld = (struct mld_msg *)skb_transport_header(skb2); BR_INPUT_SKB_CB(skb)->mrouters_only = 1; @@ -242,7 +239,7 @@ break; } case ICMPV6_MLD2_REPORT: -@@ -1781,7 +1812,7 @@ static int br_multicast_ipv6_rcv(struct +@@ -1782,7 +1810,7 @@ static int br_multicast_ipv6_rcv(struct goto out; } mld = (struct mld_msg *)skb_transport_header(skb2);
This reverts commit a080e8e1943156168913d0353a2e99d1151102aa. It did not fix the problem but just hid some symptom. The real issue was that IGMP/MLD report suppression was not considered for the multicast-to-unicast feature. A recent netifd which isolates IGMP/MLD reports between STAs by utilizing AP-isolation and bridge-hairpinning should have fixed this. It is perfectly fine to apply multicast-to-unicast to IPv6 Neighbor Solicitations, too (once that feature is configured correctly). Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> --- .../645-bridge_multicast_to_unicast.patch | 37 +++++++++----------- 1 file changed, 17 insertions(+), 20 deletions(-)