Broadcast filtering

Wilco Baan Hofman wilco
Wed Sep 23 14:38:04 PDT 2015 

Hi all,

I'm trying to set up a few APs with Proxy-ARP, Proxy-NDP and broadcast
filtering for high density. So I basically want unicast-only. I'm
running on openwrt git now on compex WPJ558, btw, with
hostapd-2015-03-25. In this version router advertisements are converted
to unicast is a strange way.. First it is sent out as multicast, then
unicast to all clients. seems to be the worst of both worlds. I'll
retest with with a git version soon.

ProxyARP still seems to flood unknown ARPs and I haven't figured out yet
where I can inspect the current mac<->IP mappings. Where can I find
this, sysfs?
It also seems that there are some ageout issues, but if I can see it I
can better debug here.

ProxyNDP seems to crash, this is based off a patch by Jouni Malinen sent
to LKML on 26 march 2015[1].  I had to add an extra NULL (before ,skb)
in the NF_HOOK parameter list, because the arguments changed in the
meantime in 4.1.6. It still crashes on dst_output, for some reason.. I
haven't tried in-depth debugging yet.. was hoping you are more familiar
with recent updates in the kernel in this area.  If not, I'll dive into
this myself.

disable_dgaf does not appear to work without WPA2 enterprise and on
public networks I also need to drop broadcast packets, is there a better
solution for this in hostapd?

I'm doing this now with ebtables as below, but given that I want to drop
pretty much everything that's not handled by the proxies, it seems like
hostapd would be a better place for this.

Bridge chain: FORWARD, entries: 15, policy: ACCEPT
-p ARP -j ACCEPT
-p IPv4 -o wlan1 --ip-proto udp --ip-dport 67 -j DROP
-p IPv4 -o wlan0 --ip-proto udp --ip-dport 67 -j DROP
-p IPv4 -i wlan0 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT
-p IPv4 -i wlan1 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT
-p IPv6 -i wlan0 --ip6-proto ipv6-icmp --ip6-icmp-type
router-advertisement -j DROP
-p IPv6 -i wlan1 --ip6-proto ipv6-icmp --ip6-icmp-type
router-advertisement -j DROP
-p IPv6 -o wlan0 --ip6-proto ipv6-icmp --ip6-icmp-type
router-advertisement -j ACCEPT
-p IPv6 -o wlan1 --ip6-proto ipv6-icmp --ip6-icmp-type
router-advertisement -j ACCEPT
-p IPv6 -i wlan0 --ip6-proto ipv6-icmp --ip6-icmp-type
router-solicitation -j ACCEPT
-p IPv6 -i wlan1 --ip6-proto ipv6-icmp --ip6-icmp-type
router-solicitation -j ACCEPT
-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type neighbour-solicitation -j
ACCEPT
-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type neighbour-advertisement -j
ACCEPT
-d Broadcast -j DROP
-d Multicast -j DROP




[1] https://patchwork.ozlabs.org/patch/453933/

Kernel oops below:
[ 1594.407511] CPU 0 Unable to handle kernel paging request at virtual
address 00000048, epc == 8031fe48, ra == 80322618
[ 1594.418321] Oops[#1]:
[ 1594.420629] CPU: 0 PID: 0 Comm: swapper Not tainted 4.1.6 #1
[ 1594.426364] task: 803cca38 ti: 803c6000 task.ti: 803c6000
[ 1594.431833] $ 0? ?  : 00000000 00000001 00000001 00000001
[ 1594.437166] $ 4? ?  : 00000000 8646d240 00000000 00000000
[ 1594.442499] $ 8? ?  : ff020000 00000000 00000000 00000001
[ 1594.447831] $12? ?  : 00000000 80233006 00000000 00000000
[ 1594.453165] $16? ?  : 8646d240 86f4a200 8031fe48 00000001
[ 1594.458497] $20? ?  : 861d6fec 86f8e250 803e2118 803a7820
[ 1594.463830] $24? ?  : 00000000 8007d964
[ 1594.469162] $28? ?  : 803c6000 803c7908 00000020 80322618
[ 1594.474496] Hi? ? ?  : 00001680
[ 1594.477417] Lo? ? ?  : 00000000
[ 1594.480343] epc? ?  : 8031fe48 dst_output+0x0/0x1c
[ 1594.485030] ra? ? ?  : 80322618 br_ndisc_send_na+0x4a0/0x5e4
[ 1594.490503] Status: 1100fc03 KERNEL EXL IE
[ 1594.494771] Cause : 00800008
[ 1594.497693] BadVA : 00000048
[ 1594.500615] PrId?  : 00019750 (MIPS 74Kc)
[ 1594.504591] Modules linked in: pppoe ppp_async iptable_nat ath9k
pppox ppp_generic nf_nat_ipv4 nf_conntrack_ipv6 nf_conntrack_ipv4
ipt_REJECT ipt_MASQUERADE ath9k_common xt_time xt_tcpudp xt_state xt_nat
xt_multiport xt_mark xt_mac xt_limit xt_id xt_conntrack xt_comment
xt_TCPMSS xt_REDIRECT xt_LOG xt_CT slhc nf_reject_ipv4 nf_nat_redirect
nf_nat_masquerade_ipv4 nf_nat_ftp nf_nat nf_log_ipv4 nf_defrag_ipv6
nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack_ftp nf_conntrack
iptable_raw iptable_mangle iptable_filter ip_tables crc_ccitt ath9k_hw
ath10k_pci ath10k_core ath mac80211 cfg80211 compat ledtrig_usbdev
ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_log_common ip6table_raw
ip6table_mangle ip6table_filter ip6_tables x_tables ohci_platform
ohci_hcd ehci_platform ehci_hcd gpio_button_hotplug usbcore nls_base
usb_common
[ 1594.578261] Process swapper (pid: 0, threadinfo=803c6000,
task=803cca38, tls=00000000)
[ 1594.586282] Stack : 803cb340 00000001 803cb340 00000001 5879e661
00000006 00000003 80000000
? ? ? ? ? ? ? ? ?  0a000000 00000000 86f28000 00000000 8031fe48 00000000
00000001 fe800000
? ? ? ? ? ? ? ? ?  00000000 0207aeff fef89bac 00000000 88000000 fe800000
00000000 0207aeff
? ? ? ? ? ? ? ? ?  fef89bac 86fd5400 00000088 8024eb84 86ff5d80 00000000
00000001 803a7820
? ? ? ? ? ? ? ? ?  00000000 00000000 86fd5400 86f28000 86fd5454 803234d4
8009b824 00000000
? ? ? ? ? ? ? ? ?  ...
[ 1594.622608] Call Trace:
[ 1594.625087] [<8031fe48>] dst_output+0x0/0x1c
[ 1594.629418] [<80322618>] br_ndisc_send_na+0x4a0/0x5e4
[ 1594.634540] [<803234d4>] br_multicast_rcv+0xd78/0x153c
[ 1594.639755] [<8031a2b4>] br_handle_frame_finish+0xd0/0x54c
[ 1594.645319] [<8031aa88>] br_handle_frame+0x358/0x3e4
[ 1594.650358] [<80243c20>] __netif_receive_skb_core+0x420/0x86c
[ 1594.656260] [<8719e0ac>] ieee80211_csa_finalize_work+0xdb4/0x1678
[mac80211]
[ 1594.663463] [<871a0d54>] ieee80211_sta_ps_transition+0x1f34/0x3638
[mac80211]
[ 1594.670727]
[ 1594.672231]
Code: ac820420?  03e00008?  00000000 <8c820048> 2403fffe?  00802821? 
00621024?  8c59002c?  03200008
[ 1594.682404] ---[ end trace 7403d3552d8b77cc ]---
[ 1594.689018] Kernel panic - not syncing: Fatal exception in interrupt

Config file:
driver=nl80211
logger_syslog=127
logger_syslog_level=2
logger_stdout=127
logger_stdout_level=2
hw_mode=a
supported_rates=360 480 540
basic_rates=360
channel=36

proxy_arp=1
disable_dgaf=1
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
ieee80211n=1
ht_coex=0
ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40]
vht_oper_chwidth=1
vht_oper_centr_freq_seg0_idx=42
ieee80211ac=1
vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC1][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]

interface=wlan0
ctrl_interface=/var/run/hostapd
ap_isolate=1
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_algs=1
wpa=0
ssid=OpenWrt-5
bridge=br-lan
bssid=04:f0:21:11:e7:8a



Hope you can give me some pointers.

-- Wilco Baan Hofman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150923/697029e7/attachment.pgp>

More information about the Hostap mailing list