[Babel-users] MTU based routing for tunnel based babel networks?
Daniel Gröber
dxld at darkboxed.org
Wed Jul 19 19:25:48 BST 2023
Hi Juliusz,
While my (now fixed) tunnel stacking mitigation works for locally generated
wg packets it doesn't when they are being routed for another host on the
(ethernet) network. This was what motivated the MTU probing idea in the
first place.
I belive the probe-mtu option is still useful in general and even somewhat
in the wireguard case. The hello packet padding will force PMTU discovery
on the tunnel endpoint address to happen, which in turn allows my nftables
rule to trigger even when the apparent interface MTU is 1500 :)
Since that's a bit of a hack I've added another rule to my mitigation to
just filter fragmented wireguard packets outright:
meta mark 0x1000 meta protocol ip6 exthdr frag != missing counter drop
On Wed, Jul 19, 2023 at 12:04:02AM +0200, Juliusz Chroboczek wrote:
> Completely untested. Please checkout the branch "probe-mtu", then say
> this in your config file:
>
> dont-fragment true
> default probe-mtu true
The padding logic looks good. I can see hello packet of the right
(interface MTU) size leaving when probe-mtu is enabled.
To test dont-fragment I first set it to disabled and changed the
(wireguard) interface MTU from 1420 to 1280 at runtime. Doing this I can
observe babel hellos being fragmented in tcpdump.
When setting dont-fragment true this trick doesn't work and the neighbour
relationship to the other node doesn't get established.
So it looks like it's working.
Thanks,
--Daniel
More information about the Babel-users
mailing list