| Message ID | 20181205200603.7169-1-freifunk@adrianschmutzler.de |
|---|---|
| State | Rejected |
| Headers | show |
diff --git a/src/packages/fff/fff-hoods/Makefile b/src/packages/fff/fff-hoods/Makefile index 264d28ab..a76e9c5f 100644 --- a/src/packages/fff/fff-hoods/Makefile +++ b/src/packages/fff/fff-hoods/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-hoods -PKG_VERSION:=5 +PKG_VERSION:=6 PKG_RELEASE:=1 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) diff --git a/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile b/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile index 89af84c8..3dad69ad 100644 --- a/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile +++ b/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile @@ -86,7 +86,7 @@ getGatewayHoodfile() { echo "Trying to get hoodfile from gateway..." - if wget -T15 -t5 -O "$file" "http://[fe80::1%br-mesh]:2342/keyxchangev2data"; then + if wget -T15 -t5 -O "$file" "http://[fe80::fff:1%br-mesh]:2342/keyxchangev2data"; then return 0 else return 1 diff --git a/src/packages/fff/fff-hoods/files/usr/sbin/configurehood b/src/packages/fff/fff-hoods/files/usr/sbin/configurehood index de60c21d..2bf64f4b 100755 --- a/src/packages/fff/fff-hoods/files/usr/sbin/configurehood +++ b/src/packages/fff/fff-hoods/files/usr/sbin/configurehood @@ -103,7 +103,7 @@ else getEthernetHoodfile "$hoodfiletmp" || getWirelessHoodfile "$hoodfiletmp" else - echo "We have a Gateway in Range, we load the keyxchangev2data from fe80::1" + echo "We have a Gateway in Range, we load the keyxchangev2data from fe80::fff:1" getGatewayHoodfile "$hoodfiletmp" && cp "$hoodfiletmp" "$hoodfilewww" fi fi @@ -239,7 +239,7 @@ if [ -s "$hoodfiletmp" ]; then echo "Address already set." fi if ! ( ip -6 route show dev br-mesh | grep -q "fc00::" ) ; then - ip -6 route add fc00::/7 via fe80::1 dev br-mesh + ip -6 route add fc00::/7 via fe80::fff:1 dev br-mesh echo "Set ULA route to br-mesh." else echo "Route already set."
Hallo, ich sehe hier maximal einen Workaround. Auch die fe80::fff:1 kann sich jemand krallen und alles ganz schnell kaputt machen. Sinnvoll wäre hier - wenn überhaupt - eine Firewall, die entsprechende Neighbour Advertisements blockiert. Das bricht dann auch keine Kompatibilität. Layer2 Netze sind halt per-se unsicher. Gruß Fabian On 05.12.18 21:06, Adrian Schmutzler wrote: > Since occationally client devices take the fe80::1 address, > we change the gateways' address to fe80::fff:1, which should > provide more uniqueness. > > Note that this only changes the address of the gateways, but > not of the configap. The latter would break compatibility > between meshing devices. > > Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> > > --- > > This patch is provided for the case that all gateway admins > add the fe80::fff:1 address to the interfaces. > --- > src/packages/fff/fff-hoods/Makefile | 2 +- > src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile | 2 +- > src/packages/fff/fff-hoods/files/usr/sbin/configurehood | 4 ++-- > 3 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/src/packages/fff/fff-hoods/Makefile b/src/packages/fff/fff-hoods/Makefile > index 264d28ab..a76e9c5f 100644 > --- a/src/packages/fff/fff-hoods/Makefile > +++ b/src/packages/fff/fff-hoods/Makefile > @@ -1,7 +1,7 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=fff-hoods > -PKG_VERSION:=5 > +PKG_VERSION:=6 > PKG_RELEASE:=1 > > PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) > diff --git a/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile b/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile > index 89af84c8..3dad69ad 100644 > --- a/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile > +++ b/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile > @@ -86,7 +86,7 @@ getGatewayHoodfile() { > > echo "Trying to get hoodfile from gateway..." > > - if wget -T15 -t5 -O "$file" "http://[fe80::1%br-mesh]:2342/keyxchangev2data"; then > + if wget -T15 -t5 -O "$file" "http://[fe80::fff:1%br-mesh]:2342/keyxchangev2data"; then > return 0 > else > return 1 > diff --git a/src/packages/fff/fff-hoods/files/usr/sbin/configurehood b/src/packages/fff/fff-hoods/files/usr/sbin/configurehood > index de60c21d..2bf64f4b 100755 > --- a/src/packages/fff/fff-hoods/files/usr/sbin/configurehood > +++ b/src/packages/fff/fff-hoods/files/usr/sbin/configurehood > @@ -103,7 +103,7 @@ else > > getEthernetHoodfile "$hoodfiletmp" || getWirelessHoodfile "$hoodfiletmp" > else > - echo "We have a Gateway in Range, we load the keyxchangev2data from fe80::1" > + echo "We have a Gateway in Range, we load the keyxchangev2data from fe80::fff:1" > getGatewayHoodfile "$hoodfiletmp" && cp "$hoodfiletmp" "$hoodfilewww" > fi > fi > @@ -239,7 +239,7 @@ if [ -s "$hoodfiletmp" ]; then > echo "Address already set." > fi > if ! ( ip -6 route show dev br-mesh | grep -q "fc00::" ) ; then > - ip -6 route add fc00::/7 via fe80::1 dev br-mesh > + ip -6 route add fc00::/7 via fe80::fff:1 dev br-mesh > echo "Set ULA route to br-mesh." > else > echo "Route already set." >
Hallo, das ist prinzipiell richtig. Wir beheben hiermit keinen bewussten Angriff, aber eben die Fälle von unabsichtlichen Störungen, die in der Vergangenheit beobachtet wurden. Eine Lösung mit Firewall kann ich nicht bauen, wenn jemand anderes ein solche Lösung einbringt, nehme ich die gerne an. Dementsprechend biete ich im Moment diesen „Workaround“ an, da er ein Problem löst, relativ einfach ist und ich ihn umsetzen kann. Grüße Adrian From: Fabian Bläse [mailto:fabian@blaese.de] Sent: Mittwoch, 5. Dezember 2018 22:30 To: Adrian Schmutzler <freifunk@adrianschmutzler.de> Cc: franken-dev@freifunk.net Subject: Re: [PATCH] fff-hoods: Use fe80::fff:1 to access hood file from gateways Hallo, ich sehe hier maximal einen Workaround. Auch die fe80::fff:1 kann sich jemand krallen und alles ganz schnell kaputt machen. Sinnvoll wäre hier - wenn überhaupt - eine Firewall, die entsprechende Neighbour Advertisements blockiert. Das bricht dann auch keine Kompatibilität. Layer2 Netze sind halt per-se unsicher. Gruß Fabian On 05.12.18 21:06, Adrian Schmutzler wrote: > Since occationally client devices take the fe80::1 address, > we change the gateways' address to fe80::fff:1, which should > provide more uniqueness. > > Note that this only changes the address of the gateways, but > not of the configap. The latter would break compatibility > between meshing devices. > > Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de <mailto:freifunk@adrianschmutzler.de> > > > --- > > This patch is provided for the case that all gateway admins > add the fe80::fff:1 address to the interfaces. > --- > src/packages/fff/fff-hoods/Makefile | 2 +- > src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile | 2 +- > src/packages/fff/fff-hoods/files/usr/sbin/configurehood | 4 ++-- > 3 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/src/packages/fff/fff-hoods/Makefile b/src/packages/fff/fff-hoods/Makefile > index 264d28ab..a76e9c5f 100644 > --- a/src/packages/fff/fff-hoods/Makefile > +++ b/src/packages/fff/fff-hoods/Makefile > @@ -1,7 +1,7 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=fff-hoods > -PKG_VERSION:=5 > +PKG_VERSION:=6 > PKG_RELEASE:=1 > > PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) > diff --git a/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile b/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile > index 89af84c8..3dad69ad 100644 > --- a/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile > +++ b/src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile > @@ -86,7 +86,7 @@ getGatewayHoodfile() { > > echo "Trying to get hoodfile from gateway..." > > - if wget -T15 -t5 -O "$file" "http://[fe80::1%br-mesh]:2342/keyxchangev2data"; then > + if wget -T15 -t5 -O "$file" "http://[fe80::fff:1%br-mesh]:2342/keyxchangev2data"; then > return 0 > else > return 1 > diff --git a/src/packages/fff/fff-hoods/files/usr/sbin/configurehood b/src/packages/fff/fff-hoods/files/usr/sbin/configurehood > index de60c21d..2bf64f4b 100755 > --- a/src/packages/fff/fff-hoods/files/usr/sbin/configurehood > +++ b/src/packages/fff/fff-hoods/files/usr/sbin/configurehood > @@ -103,7 +103,7 @@ else > > getEthernetHoodfile "$hoodfiletmp" || getWirelessHoodfile "$hoodfiletmp" > else > - echo "We have a Gateway in Range, we load the keyxchangev2data from fe80::1" > + echo "We have a Gateway in Range, we load the keyxchangev2data from fe80::fff:1" > getGatewayHoodfile "$hoodfiletmp" && cp "$hoodfiletmp" "$hoodfilewww" > fi > fi > @@ -239,7 +239,7 @@ if [ -s "$hoodfiletmp" ]; then > echo "Address already set." > fi > if ! ( ip -6 route show dev br-mesh | grep -q "fc00::" ) ; then > - ip -6 route add fc00::/7 via fe80::1 dev br-mesh > + ip -6 route add fc00::/7 via fe80::fff:1 dev br-mesh > echo "Set ULA route to br-mesh." > else > echo "Route already set." >
Since occationally client devices take the fe80::1 address, we change the gateways' address to fe80::fff:1, which should provide more uniqueness. Note that this only changes the address of the gateways, but not of the configap. The latter would break compatibility between meshing devices. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> --- This patch is provided for the case that all gateway admins add the fe80::fff:1 address to the interfaces. --- src/packages/fff/fff-hoods/Makefile | 2 +- src/packages/fff/fff-hoods/files/usr/lib/functions/fff/hoodfile | 2 +- src/packages/fff/fff-hoods/files/usr/sbin/configurehood | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-)