vxlan layers learns broadcast / multicast addresses from incoming packets #3191
Labels
0. type: bug
This is a bug
3. topic: batman-adv
3. topic: wireguard
This is about wireguard, an in-kernel layer 3 VPN
Comments
blocktrron
added
0. type: bug
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 17, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 17, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
blocktrron
added a commit
that referenced
this issue
Feb 21, 2024
|
I will keep this issue open until we've backported the Fix to v2023.2 and v2023.1. |
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 22, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 22, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 22, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
blocktrron
added a commit
that referenced
this issue
Feb 23, 2024
openwrt-bot
pushed a commit
to openwrt/openwrt
that referenced
this issue
Feb 26, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 27, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
openwrt-bot
pushed a commit
to openwrt/openwrt
that referenced
this issue
Feb 27, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 0985262)
blocktrron
added a commit
that referenced
this issue
Feb 27, 2024
noblemtw
pushed a commit
to noblemtw/openwrt-nss23-0x
that referenced
this issue
Mar 8, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
rmandrad
pushed a commit
to rmandrad/openwrt
that referenced
this issue
Mar 9, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
schuettecarsten
pushed a commit
to schuettecarsten/openwrt
that referenced
this issue
Apr 8, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
misanthropos
pushed a commit
to misanthropos/gluon
that referenced
this issue
Apr 29, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
hafu
pushed a commit
to Freifunk-Potsdam/gluon
that referenced
this issue
Jun 2, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
davintagas
pushed a commit
to davintagas/ROOterSource2305
that referenced
this issue
Jun 26, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 0985262fd0f0b9c33e1fb559e71c041379199a91)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a Gluon node receives a vxlan packet where the encapsulated ethernet source-address is a broadcast or multicast address, the Gluon node adds this source-address to it's fdb. Subsequently, all broadcast packets and therefor batman-adv OGMs are exclusively sent to this node as unicast.
I'm unsure if this behavior is okay (or how it happens organically). However, as this allows a DoS on a wired-mesh network, we should at least apply a hotfix. I will open a pull-request for this.
I assume meshing over wireguard using vxlan should not be affected from my understabding, as it's a 1:1 peer connection. Someone with more insight into this architecture should evaluate if this is also affected.
The text was updated successfully, but these errors were encountered: