-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vxlan layers learns broadcast / multicast addresses from incoming packets #3191
Labels
0. type: bug
This is a bug
3. topic: batman-adv
3. topic: wireguard
This is about wireguard, an in-kernel layer 3 VPN
Comments
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 17, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 17, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
blocktrron
added a commit
that referenced
this issue
Feb 21, 2024
I will keep this issue open until we've backported the Fix to v2023.2 and v2023.1. |
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 22, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 22, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 22, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
blocktrron
added a commit
that referenced
this issue
Feb 23, 2024
openwrt-bot
pushed a commit
to openwrt/openwrt
that referenced
this issue
Feb 26, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
blocktrron
added a commit
to blocktrron/gluon
that referenced
this issue
Feb 27, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
openwrt-bot
pushed a commit
to openwrt/openwrt
that referenced
this issue
Feb 27, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 0985262)
blocktrron
added a commit
that referenced
this issue
Feb 27, 2024
noblemtw
pushed a commit
to noblemtw/openwrt-nss23-0x
that referenced
this issue
Mar 8, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
rmandrad
pushed a commit
to rmandrad/openwrt
that referenced
this issue
Mar 9, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
schuettecarsten
pushed a commit
to schuettecarsten/openwrt
that referenced
this issue
Apr 8, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
misanthropos
pushed a commit
to misanthropos/gluon
that referenced
this issue
Apr 29, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net>
hafu
pushed a commit
to Freifunk-Potsdam/gluon
that referenced
this issue
Jun 2, 2024
See Gluon freifunk-gluon#3191 Link: freifunk-gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 97b9fcc)
davintagas
pushed a commit
to davintagas/ROOterSource2305
that referenced
this issue
Jun 26, 2024
This patch avoids learning non-unicast targets in the vxlan FDB. They are non-unicast and thus should be sent to the broadcast-IPv6 instead of a unicast address Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/ Link: freifunk-gluon/gluon#3191 Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 0985262fd0f0b9c33e1fb559e71c041379199a91)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
0. type: bug
This is a bug
3. topic: batman-adv
3. topic: wireguard
This is about wireguard, an in-kernel layer 3 VPN
When a Gluon node receives a vxlan packet where the encapsulated ethernet source-address is a broadcast or multicast address, the Gluon node adds this source-address to it's fdb. Subsequently, all broadcast packets and therefor batman-adv OGMs are exclusively sent to this node as unicast.
I'm unsure if this behavior is okay (or how it happens organically). However, as this allows a DoS on a wired-mesh network, we should at least apply a hotfix. I will open a pull-request for this.
I assume meshing over wireguard using vxlan should not be affected from my understabding, as it's a 1:1 peer connection. Someone with more insight into this architecture should evaluate if this is also affected.
The text was updated successfully, but these errors were encountered: