Broadcast filtering

Wilco Baan Hofman wilco at baanhofman.nl
Wed Sep 23 17:38:04 EDT 2015


Hi all,

I'm trying to set up a few APs with Proxy-ARP, Proxy-NDP and broadcast
filtering for high density. So I basically want unicast-only. I'm
running on openwrt git now on compex WPJ558, btw, with
hostapd-2015-03-25. In this version router advertisements are converted
to unicast is a strange way.. First it is sent out as multicast, then
unicast to all clients. seems to be the worst of both worlds. I'll
retest with with a git version soon.

ProxyARP still seems to flood unknown ARPs and I haven't figured out yet
where I can inspect the current mac<->IP mappings. Where can I find
this, sysfs?
It also seems that there are some ageout issues, but if I can see it I
can better debug here.

ProxyNDP seems to crash, this is based off a patch by Jouni Malinen sent
to LKML on 26 march 2015[1].  I had to add an extra NULL (before ,skb)
in the NF_HOOK parameter list, because the arguments changed in the
meantime in 4.1.6. It still crashes on dst_output, for some reason.. I
haven't tried in-depth debugging yet.. was hoping you are more familiar
with recent updates in the kernel in this area.  If not, I'll dive into
this myself.

disable_dgaf does not appear to work without WPA2 enterprise and on
public networks I also need to drop broadcast packets, is there a better
solution for this in hostapd?

I'm doing this now with ebtables as below, but given that I want to drop
pretty much everything that's not handled by the proxies, it seems like
hostapd would be a better place for this.

Bridge chain: FORWARD, entries: 15, policy: ACCEPT
-p ARP -j ACCEPT
-p IPv4 -o wlan1 --ip-proto udp --ip-dport 67 -j DROP
-p IPv4 -o wlan0 --ip-proto udp --ip-dport 67 -j DROP
-p IPv4 -i wlan0 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT
-p IPv4 -i wlan1 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT
-p IPv6 -i wlan0 --ip6-proto ipv6-icmp --ip6-icmp-type
router-advertisement -j DROP
-p IPv6 -i wlan1 --ip6-proto ipv6-icmp --ip6-icmp-type
router-advertisement -j DROP
-p IPv6 -o wlan0 --ip6-proto ipv6-icmp --ip6-icmp-type
router-advertisement -j ACCEPT
-p IPv6 -o wlan1 --ip6-proto ipv6-icmp --ip6-icmp-type
router-advertisement -j ACCEPT
-p IPv6 -i wlan0 --ip6-proto ipv6-icmp --ip6-icmp-type
router-solicitation -j ACCEPT
-p IPv6 -i wlan1 --ip6-proto ipv6-icmp --ip6-icmp-type
router-solicitation -j ACCEPT
-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type neighbour-solicitation -j
ACCEPT
-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type neighbour-advertisement -j
ACCEPT
-d Broadcast -j DROP
-d Multicast -j DROP




[1] https://patchwork.ozlabs.org/patch/453933/

Kernel oops below:
[ 1594.407511] CPU 0 Unable to handle kernel paging request at virtual
address 00000048, epc == 8031fe48, ra == 80322618
[ 1594.418321] Oops[#1]:
[ 1594.420629] CPU: 0 PID: 0 Comm: swapper Not tainted 4.1.6 #1
[ 1594.426364] task: 803cca38 ti: 803c6000 task.ti: 803c6000
[ 1594.431833] $ 0Â Â  : 00000000 00000001 00000001 00000001
[ 1594.437166] $ 4Â Â  : 00000000 8646d240 00000000 00000000
[ 1594.442499] $ 8Â Â  : ff020000 00000000 00000000 00000001
[ 1594.447831] $12Â Â  : 00000000 80233006 00000000 00000000
[ 1594.453165] $16Â Â  : 8646d240 86f4a200 8031fe48 00000001
[ 1594.458497] $20Â Â  : 861d6fec 86f8e250 803e2118 803a7820
[ 1594.463830] $24Â Â  : 00000000 8007d964
[ 1594.469162] $28Â Â  : 803c6000 803c7908 00000020 80322618
[ 1594.474496] Hi    : 00001680
[ 1594.477417] Lo    : 00000000
[ 1594.480343] epc   : 8031fe48 dst_output+0x0/0x1c
[ 1594.485030] ra    : 80322618 br_ndisc_send_na+0x4a0/0x5e4
[ 1594.490503] Status: 1100fc03 KERNEL EXL IE
[ 1594.494771] Cause : 00800008
[ 1594.497693] BadVA : 00000048
[ 1594.500615] PrId  : 00019750 (MIPS 74Kc)
[ 1594.504591] Modules linked in: pppoe ppp_async iptable_nat ath9k
pppox ppp_generic nf_nat_ipv4 nf_conntrack_ipv6 nf_conntrack_ipv4
ipt_REJECT ipt_MASQUERADE ath9k_common xt_time xt_tcpudp xt_state xt_nat
xt_multiport xt_mark xt_mac xt_limit xt_id xt_conntrack xt_comment
xt_TCPMSS xt_REDIRECT xt_LOG xt_CT slhc nf_reject_ipv4 nf_nat_redirect
nf_nat_masquerade_ipv4 nf_nat_ftp nf_nat nf_log_ipv4 nf_defrag_ipv6
nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack_ftp nf_conntrack
iptable_raw iptable_mangle iptable_filter ip_tables crc_ccitt ath9k_hw
ath10k_pci ath10k_core ath mac80211 cfg80211 compat ledtrig_usbdev
ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_log_common ip6table_raw
ip6table_mangle ip6table_filter ip6_tables x_tables ohci_platform
ohci_hcd ehci_platform ehci_hcd gpio_button_hotplug usbcore nls_base
usb_common
[ 1594.578261] Process swapper (pid: 0, threadinfo=803c6000,
task=803cca38, tls=00000000)
[ 1594.586282] Stack : 803cb340 00000001 803cb340 00000001 5879e661
00000006 00000003 80000000
          0a000000 00000000 86f28000 00000000 8031fe48 00000000
00000001 fe800000
          00000000 0207aeff fef89bac 00000000 88000000 fe800000
00000000 0207aeff
          fef89bac 86fd5400 00000088 8024eb84 86ff5d80 00000000
00000001 803a7820
          00000000 00000000 86fd5400 86f28000 86fd5454 803234d4
8009b824 00000000
          ...
[ 1594.622608] Call Trace:
[ 1594.625087] [<8031fe48>] dst_output+0x0/0x1c
[ 1594.629418] [<80322618>] br_ndisc_send_na+0x4a0/0x5e4
[ 1594.634540] [<803234d4>] br_multicast_rcv+0xd78/0x153c
[ 1594.639755] [<8031a2b4>] br_handle_frame_finish+0xd0/0x54c
[ 1594.645319] [<8031aa88>] br_handle_frame+0x358/0x3e4
[ 1594.650358] [<80243c20>] __netif_receive_skb_core+0x420/0x86c
[ 1594.656260] [<8719e0ac>] ieee80211_csa_finalize_work+0xdb4/0x1678
[mac80211]
[ 1594.663463] [<871a0d54>] ieee80211_sta_ps_transition+0x1f34/0x3638
[mac80211]
[ 1594.670727]
[ 1594.672231]
Code: ac820420  03e00008  00000000 <8c820048> 2403fffe  00802821 
00621024  8c59002c  03200008
[ 1594.682404] ---[ end trace 7403d3552d8b77cc ]---
[ 1594.689018] Kernel panic - not syncing: Fatal exception in interrupt

Config file:
driver=nl80211
logger_syslog=127
logger_syslog_level=2
logger_stdout=127
logger_stdout_level=2
hw_mode=a
supported_rates=360 480 540
basic_rates=360
channel=36

proxy_arp=1
disable_dgaf=1
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
ieee80211n=1
ht_coex=0
ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40]
vht_oper_chwidth=1
vht_oper_centr_freq_seg0_idx=42
ieee80211ac=1
vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC1][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]

interface=wlan0
ctrl_interface=/var/run/hostapd
ap_isolate=1
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_algs=1
wpa=0
ssid=OpenWrt-5
bridge=br-lan
bssid=04:f0:21:11:e7:8a



Hope you can give me some pointers.

-- Wilco Baan Hofman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150923/697029e7/attachment.pgp>


More information about the HostAP mailing list