gluon-mesh-batman-adv-brmldproxy: add package

[T-X]

Now that we have general support for routable IPv6 multicast address in Gluon main thanks to the newer Linux (bridge) and batman-adv versions it becomes more interesting to also support layer 3 IPv6 multicast routers.

So far this was also not possible with the default settings in Gluon due to filtering MLD into the mesh. This now adds support for brmldproxy, a daemon which proxies MLD reports between bridge ports.

For the Gluon scenario this package adds brmldproxy proxying configuration for the mesh side bat0 bridge port.

The configuration is tuned in a way to enable the usage of layer 3 IPv6 multicast routers for routable IPv6 multicast address ranges. But with a lot smaller MLD overhead compared to the filter_membership_reports=false site.conf option.

If a node has no multicast listener for a routable IPv6 multicast address then this node will emit no MLD report into the mesh. Furthermore, if a node has multiple multicast listening hosts for routable IPv6 multicast addresses then the node will act in deputy and respond with combined, aggregated MLD reports on behalf.

This package is currently incompatible with a
filter_membership_reports=true site.conf option.

---

This pull-request requires: freifunk-gluon/packages#264

[T-X]

Changelog v2:

• added necessary firewall rules for the brmldp0 interface through package/gluon-mesh-batman-adv-brmldproxy/luasrc/lib/gluon/upgrade/400-brmldproxy-firewall (not much, as the tc rules that are set up by brmldproxy are applied before iptables)

[T-X]

Changelog v3:

• Added a patch / config option to batman-adv to forward MLD reports only to multicast routers instead of always flooding MLD reports, to further reduce overhead.
  • That way, when installing this package it makes no difference in overhead, still no MLD reports in the mesh then if no multicast router is present (as I assume no one has installed any multicast routers yet). On the other hand the batman-adv patch should be inactive / make no difference when gluon-mesh-batman-adv-brmldproxy is not installed.

[ecsv]

Regarding the batman-adv patch: I think this a patch which could be integrated in upstream when the real world effects are verified/tested in actual setups.

[T-X]

As discussed during the Gluon meeting back then it would be great to gather a bit of real world experiences with it.

I've now prepared some packages with all the upcoming batman-adv / Gluon multicast features integrated into Gluon package feeds. So far tested on VMs only, but real hardware tests coming up next. It should be enough to just add it to your site/modules file and update all nodes with it. Should compile+run for Gluon v2021.1.x, Gluon v2023.1 and Gluon master: https://github.com/T-X/gluon-batman-adv-next/

If any community would be interested in testing IPv6 multicast routing between communities (on their own Gluon domains), let me know.

[T-X]

With the last firmware update at Freifunk Lübeck the latest gluon-batman-adv-next package feed was rolled out, with brmldproxy integration and the latest batman-adv release (v2024.0). So far we didn't notice any issues/regressions.

Haven't found a second community to test an IPv6 multicast router (pim6sd) on a Gluon based network with, but with using mrdisc (https://github.com/troglobit/mrdisc) on one wifi client I can see the MLD reports for (mostly) routable multicast addresses arriving on the local Gluon node from other nodes in tcpdump. And when stopping mrdisc, I don't see these MLD reports anymore.

So to me seems to work as expected/intended on a real setup.

[T-X]

Two more notes / observations thanks to @ecsv :

1. When "filter_membership_reports=true" if we were adding brmldproxy by default, I wanted people to think/check what they actually want: I wanted to avoid that people will see MLD reports over their mesh without expecting it.

Unfortunately, with the current need_value(in_site({'mesh', 'filter_membership_reports'}), true, false) in need_value(in_site({'mesh', 'filter_membership_reports'}), true, false) the error message is actually inverted:

need_value(in_site({'mesh', 'filter_membership_reports'}), true, false)

(Not quite sure how to fix that. Would I need to implement a new need_value() variant?)

2. When "filter_membership_reports=false" I would interpret this as people wanting MLD reports of all listeners over the mesh. And if brmldproxy were added by default and not unselected via -brmldproxy expclicitly, that brmldproxy would still proxy all these reports, to reduce their overhead.

However I forgot to implement to dynamically generate gluon-mesh-batman-adv-brmldproxy/files/etc/config/brmldproxy then from the Gluon Lua update scripts, with "list excludefilter 'ff02::/ff0f::'" removed in that "filter_membership_reports=false" case. Will fix that.

---

With "filter_membership_reports" not set in a site.conf I'd assume that people want to have the behaviour which Gluon maintainers would suggest for most cases. Which in my opinion would be, and what is currently implemented, to have brmldproxy installed by default. With MLD reports only forwarded if a client listening to routeable multicast addresses and an IPv6 multicast router is present.

[T-X]

Changelog v4:

• rebased to current master
• added option to also use filter_membership_reports=false
• for this removed the static bpfcountd UCI config file and generate it via a Gluon upgrade Lua script instead
• for that renamed /lib/gluon/upgrade/400-brmldproxy-firewall to /lib/gluon/upgrade/400-brmldproxy
• absence of filter_membership_reports now defaults to "true" for gluon-mesh-batman-adv-brmldproxy
• updated Makefile+docs description
• moved "batctl multicast_mld_rtr_only 1" call addition from netifd gluon_bat0.sh to a separate hotplug.d script
• added patch: "gluon-ebtables: don't filter incoming MLD Reports via ebtables"
• added patch: "gluon-mesh-batman-adv-brmldproxy: add to mesh-batman-adv-15 by default"

The bpfcountd concept has now also successfully been tested between Freifunk Lübeck and a domain at Freifunk Vogtland. With pim6sd and bpfcountd multicast audio could be transmitted on one and listened to in the other Gluon site/domain.

[T-X]

Changelog v5:

• rebased to current master (no conflicts)
• removed the patch "gluon-mesh-batman-adv-brmldproxy: add to mesh-batman-adv-15 by default" to not add brmldproxy by default with batman-adv
• /etc/hotplug.d/iface/50-gluon-mesh-batman-adv-brmldproxy:
  • removed executable/enabled checks on /etc/init.d/brmldproxy, as not required due to dependencies and we don't allow manually disabling it for now
  • use Lua JSON filtering/checking instead of piping the full site through the jsonfilter process
• only remove incoming MLD report ebtables filters if using brmldproxy, to avoid any functional changes to any setups without brmldproxy

[rotanid]

@T-X have you seen the comments by neocturne? these are without answers, at least as far as i can see

[T-X]

Changelog v6:

• rebased to current main branch (no conflicts)
• replaced the batman-adv mld-rtr-only configuration option with additional tc-DNAT'ing for now, to be able to use brmldproxy with low MLD report overhead even without any changes to batman-adv
  • note: we have to temporarily change the ICMPv6 type from MLD report to something else, here "100 - Private experimentation", to avoid that batman-adv always floods it
• simplified the "don't filter incoming MLD Reports" patch by moving the change from gluon-ebtables to gluon-mesh-batman-adv-brmldproxy
  • these two changes allow to use gluon-mesh-batman-adv-brmldproxy with both a vanilla Gluon and vanilla batman-adv now, making it suitable for any external feed as is
• replaced ( [ ... ] || [ ... ] ) && ... in gluon-mesh-batman-adv-brmldproxy with { [ ... ] || [ ...]; } && ... to avoid a sub-shell invocation, to make the linter happy

[T-X]

@rotanid thanks for the comment, but I think all of @neocturne 's previous remarks were addressed in v5 already

[T-X]

Changelog v7:

• rebased to current Gluon main (no changes)
• 51-gluon-mesh-batman-adv-brmldproxy hotplug script:
  • added "set -e"
  • replaced "{ [ ... ] } && exit 0" patterns with if/else oneliners
  • added helper functions for tc calls to avoid repetitions
• gluon-brmldproxy-router-check:
  • calculated a Gluon multicast router multicast address from domain seed and used a unicast prefix based multicast address
  • added a small comment for the RFC origin of its format
• to ease overall configuration added a patch to auto-enable a mesh-side MLD querier (candidate) if that node's client port features a multicast router

Could not use JSON for the "batctl mcast_flags" check though as the own flags in the reader are not printed in batctl's JSON mode output.

[T-X]

Changelog v8:

• make linter happy about missing quotes

[T-X]

Changelog v9:

• use/check the JSON output from "batctl mj" instead of regex'ing from "batctl mcast_flags" output (wasn't aware until a minute ago that the former existed and outputs the own batman-adv multicast flags in JSON format :D)
  • this should now have addressed all of @neocturne's previous remarks and suggestions

[rotanid]

currently, further development happens over at freifunk-gluon/community-packages#151 because more people can help with shellcheck issues.
at a later point, it might be possible to copy it to here, but currently it is NOT 100% the same thing unlike claimed.

[T-X]

Changelog v10:

• rebased to current main branch (no changes)
• synced to state in gluon-community packages:
  • linting/style fixes
  • used $(PKG_NAME) in Makefile

[neocturne]

OpenWrt's convention is never to use $(PKG_NAME) like this, and Gluon follows this convention.

[neocturne]

Suggested change

	include $(TOPDIR)/../package/gluon.mk
	include ../gluon.mk

[neocturne]

What happens when the client interface is taken down and up again repeatedly?

[neocturne]

What is this waiting for? Is something else creating these qdiscs?