ffwizard, olsr: validate mesh addresses, filter large HNAs #346
Comments
|
Since we want the wizard to be usable with other communities (eg potsdam or fuerstenwalde) then limiting the wizard to our /14 and multiple /16 ranges would have to be set in the community profiles. The communities would have to maintain their profiles, or we generate the profiles from https://github.com/freifunk/icvpn-meta (example Berlin https://github.com/freifunk/icvpn-meta/blob/master/berlin). We would have to assume that the communities are keeping this information up-to-date I use a totally non freifunk-berlin range of IP addresses when I do unit testing. It would be an inconvenience to have to use freifunk-berlin ip addresses, but it also won't be that bad. About having OLSRd reject HNA's larger than a /23... I think /22 would be better. But where would you want to do this check? In the OpenWrt init script https://github.com/openwrt/routing/blob/master/olsrd/files/olsrd4.init or in the cfgparser code of OLSRd https://github.com/OLSR/olsrd/tree/master/src/cfgparser. In either case, I think this change would not be done at the falter-packages level. |
|
Thanks, good points.
It could also allow something larger like I'm basically just worrying about someone announcing subsets of the default route which aren't equal to the default route and thus harder to spot. E.g. announce (= hijack) only Gmail prefixes and fly under the radar because it's just another /24.
Sure /22 works too
Yep it'd probably have to be in OLSR. Another option would be routing table masking (i.e. have a second table that "masks" the actual OLSR kernel table) but I don't know if that's an actual thing. |
Maintainer:
Environment:
Description:
There are a couple of issues with mesh addresses that could be considered invalid.
Options:
/16ranges in10.0.0.0/8./23.The text was updated successfully, but these errors were encountered: