[Click] FromDevice(... SNIFFER false) not blocking forwarding
Bernd May
eric at cs.tu-berlin.de
Tue Jan 17 08:36:36 EST 2012
Hello Clicklist,
I recently worked on a couple of assignments in a course about wireless
routing. While programming my static click router I stumbled upon
something about which I'd like to know whether it works as intended or
should be changed.
When creating a FromDevice element in userspace, we disabled the sniffer
mode via "SNIFFER false" to prevent the kernel from receiving and
routing packets itself. We wanted all the traffic to pass through our
click router.
Though this resulted in the correct placement of a drop all rule in the
iptables INPUT chain we encountered quite an amount of duplicate packets
in our network when routing over more than one hop.
After some debugging we detected the kernel to be the culprit. Though
our click router was doing fine, packets that arrived at an interface
but were not destined for this node, i.e. needed to be forwarded, were
still sent to the kernel. This being due to the routers having
ip_forwarding enabled in /proc/sys/net/ipv4/ip_forward and packets not
for the local system never passing the INPUT chain but instead going
directly to the FORWARD chain. Thus they elude the drop rule and
appeared in our FromHost element that was supposed to grab locally
generated traffic.
For example a ping packet was then received once on a device, went
through our click router and sent out on another device. At the same
time the packet was received by the kernel, routed through its routing
table, sent to our FromHost element, routed through click and sent out
via a ToDevice. And so
one ping becomes two...
My question resulting from that is; Does this work as intended?
If so, should there be a comment or note in the click documentation of
the FromDevice element that informs the user about this. E.g. "When
using click it is assumed that packet forwarding of the underlying
kernel is disabled" or "SNIFFER false only blocks packets destined for
the local machine".
Greetings
Bernd
PS.: Below is a more complete description of our setup
The setup contains of three wireless nodes running openwrt-backfire,
each with an ethernet interface and two wireless ones. Goal of the
assignment was to connect the nodes via wireless networks, one of them
taking the role of a gateway router to the other networks. Click has to
run in userspace.
example: 10.69.1.1 <- node1 -> 10.69.2.1, 10.69.2.2 <- node2 ->
10.69.3.1, 10.69.3.2 <- node3
Also all of the nodes are attached to a stepping stone via their
ethernet interface, node1 was supposed to route the traffic for the eth0
of node2 and node3 also. All networks are /24. The click router is
supposed to route all traffic, locally generated and otherwise received.
I can provide a sample configuration of the nodes if required.
More information about the click
mailing list