diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/README.md b/modules/sc-mesh-secure-deployment/src/nats/cbma/README.md index de7cef49..cf0aefcd 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/README.md +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/README.md @@ -19,16 +19,6 @@ ip link set wlp1s0 up # Connect wlp1s0 to the mesh if it isn't - Need a working wpa_supplicant_11s.conf wpa_supplicant -i wlp1s0 -c wpa_supplicant_11s.conf -D nl80211 -B -# Prepare lower-batman interface (using wlp1s0 locally administered MAC) -ip link del bat0 2>/dev/null -ip link add name bat0 type batadv -ip link set bat0 address $(read a < /sys/class/net/wlp1s0/address && printf "%02x${a:2}\n" $(( 0x${a:0:2} ^ 0x2 ))) -ip link set bat0 up - -# Create upper-batman inteface -ip link del bat1 2>/dev/null -ip link add name bat1 type batadv - # Install Python dependencies - Recommended to create + activate a venv before $ python3 -m pip install -r requirements.txt @@ -45,6 +35,17 @@ $ python3 standalone.py -i wlp1s0 # Runs lower-CBMA by default $ python3 standalone.py -i bat0 -b bat1 # Add -u if lower-CBMA wasn't established beforehand # NOTE: if bat0 doesn't have the same MAC as any of its attached interfaces (like LA wlp1s0 one) # you will have to generate certificates for it as a workaround + +# Optional - Now done automatically by standalone.py +# Prepare lower-batman interface (using wlp1s0 locally administered MAC) +ip link del bat0 2>/dev/null +ip link add name bat0 type batadv +ip link set bat0 address $(read a < /sys/class/net/wlp1s0/address && printf "%02x${a:2}\n" $(( 0x${a:0:2} ^ 0x2 ))) +ip link set bat0 up + +# Create upper-batman inteface +ip link del bat1 2>/dev/null +ip link add name bat1 type batadv ``` diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION b/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION index c18e5868..d0a45d62 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION @@ -1,4 +1,4 @@ -GIT_VERSION=v0.0.0-old_requirements_fixes -GIT_SHA=261e1b95dbe8a8a99af7cb56ad7abac90fd26884 -EPOCH_TIMESTAMP=1714545575 -PRECISE_DATE_TIMESTAMP="2024-05-01 - 06:39:35.164044574" +GIT_VERSION=v0.1.7-old_requirements_fixes +GIT_SHA=2b333ce8b4308663fd7901d87add93b731314f56 +EPOCH_TIMESTAMP=1717686203 +PRECISE_DATE_TIMESTAMP="2024-06-06 - 15:03:23.866091572" diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_bridge.sh b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_bridge.sh index 5651ec41..e2373977 100755 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_bridge.sh +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_bridge.sh @@ -1,7 +1,7 @@ #!/bin/bash -export SCN='/sys/class/net' +source "${BASH_SOURCE%/*}/constants.rc" cleanup_bridge_if_needed() { diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_mess.sh b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_mess.sh index d660187c..c2ffae2e 100755 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_mess.sh +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_mess.sh @@ -1,9 +1,7 @@ -#! /bin/bash +#!/bin/bash - -export SCN='/sys/class/net' - +source "${BASH_SOURCE%/*}/constants.rc" cleanup_macscbpad_interface() { @@ -33,6 +31,7 @@ cleanup_macsec_interface() cleanup_macvlan_interface() { + [ -e "$SCN/$MACVLAN_NAME" ] || return 0 cleanup_macscbub_interface cleanup_macsec_interface ip link delete "$MACVLAN_NAME" diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/constants.rc b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/constants.rc index aed14788..a7fea98a 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/constants.rc +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/constants.rc @@ -2,7 +2,7 @@ export MACSEC_OVERHEAD=16 # needs more testing, an overhead of 32 might even occur if batman-adv uses 4 address mode -export BATMAN_OVERHEAD=24 +export BATMAN_OVERHEAD=48 export HOPEFULLY1500=1500 export SCN='/sys/class/net' \ No newline at end of file diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/create_mess.sh b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/create_mess.sh index 49e40612..5ebed956 100755 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/create_mess.sh +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/create_mess.sh @@ -178,7 +178,7 @@ random_mac_address() create_macvlan_interface() { - if ! ip link add link "$BASE_INTERFACE_NAME" name "$MACVLAN_NAME" address "$LOCAL_MAC" mtu "$MACVLAN_MTU" type macvlan mode source bcqueuelen 0 \ + if ! ip link add link "$BASE_INTERFACE_NAME" name "$MACVLAN_NAME" address "$LOCAL_MAC" mtu "$MACVLAN_MTU" type macvlan mode source nodst bcqueuelen 0 \ || ! ip link set link dev "$MACVLAN_NAME" type macvlan macaddr add "$REMOTE_MAC"; then return `false` fi @@ -216,12 +216,12 @@ create_macvlan_interface() create_bridge_if_needed() { if [ ! -e "$SCN/$MACBR_NAME/bridge" ]; then - >&2 echo "Error: creation has been moved to create_bridge.sh, $MACBR_NAME should exist" - return `false` + >&2 echo "WARN: $MACBR_NAME doesn't exist when it should, recreating it but something is misbehaving" + "${BASH_SOURCE%/*}/create_bridge.sh" "$L_OR_U" "$BASE_INTERFACE_NAME" || return $? fi create_macvlan_interface || return `false` REMOTE_EUI64=`mac_to_eui64 "$REMOTE_MAC"` - REMOTE_LLA="fe80::$REMOTE_EUI64" + REMOTE_LLA="fe80::$REMOTE_EUI64" ip neigh replace "$REMOTE_LLA" lladdr "$REMOTE_MAC" dev "$MACBR_NAME" } diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh index e7b0e0a2..66cf0c22 100755 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh @@ -7,7 +7,7 @@ KEYPAIR_TYPE="rsa" # Can be ecdsa, eddsa, or rsa DEFAULT_LOG_LEVEL="INFO" -BASE_MTU="1400" +BASE_MTU="1500" CBMA_DEBUG=0 BAT_DEBUG=0 @@ -104,8 +104,7 @@ setup_wlan() { # ip netns exec "$I" ip link set dev "$WLAN" name "wlp1s${I}" # ip netns exec "$I" iw dev "wlp1s${I}" set type mesh - # NOTE - No need to set MTU for now - # ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + 80)) + ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + 80)) ip netns exec "$I" ip link set dev "wlp1s${I}" address "00:20:91:0${I}:0${I}:0${I}" ip netns exec "$I" ip link set dev "wlp1s${I}" up @@ -126,7 +125,7 @@ setup_eth() { ip link add "$ETH" type veth peer name "eth${I}" netns "$I" # NOTE - No need to set MTU for now - # ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108)) + ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108)) ip netns exec "$I" ip link set dev "eth${I}" address "00:20:91:${I}0:${I}0:${I}0" ip link set "$ETH" up diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/upgrade_cbma.sh b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/upgrade_cbma.sh index ef8d7c0d..36aa3438 100755 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/upgrade_cbma.sh +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/upgrade_cbma.sh @@ -47,6 +47,7 @@ cleanup_mdm_agent_files() { command ssh ${ID_RSA:+-i "$ID_RSA"} $SSH_OPTIONS "root@$IP" bash <<-EOF || exit 6 rm -f /opt/certs_uploaded rm -rf /opt/certs || : + rm -rf /opt/mdm || : EOF } @@ -122,6 +123,6 @@ fi stop_mdm_agent "$IP" "$ID_RSA" cleanup_logs "$IP" "$ID_RSA" cleanup_mdm_agent_files "$IP" "$ID_RSA" -upgrade_cbma "$CBMA" "$IP" "$ID_RSA" +# upgrade_cbma "$CBMA" "$IP" "$ID_RSA" # upgrade_birthcerts "$IP" "$ID_RSA" start_mdm_agent "$IP" "$ID_RSA" diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py index c7731326..a5ad6250 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py @@ -1,3 +1,4 @@ +import os import sys import argparse @@ -14,8 +15,9 @@ BATMAN_ROUTING_ALG = 'BATMAN_V' +CBMA_ROOT = os.path.normpath(os.path.dirname(__file__)) -def get_interface_locally_administed_mac(interface: str) -> str: +def get_interface_locally_administered_mac(interface: str) -> str: mac = get_interface_mac_address(interface) mac_bytes = bytearray.fromhex(mac.replace(':', '')) mac_bytes[0] ^= 0x2 # Locally administered bit @@ -35,6 +37,32 @@ def destroy_batman(batman: str) -> None: destroy_batman_str = f"ip link del {batman}" run_command_retcode(destroy_batman_str.split()) +def get_mtu_from_constants_rc(exclude: list[str] = []) -> int: + mtu = 0 + constants_rc = f"{CBMA_ROOT}/scripts/mess/constants.rc" + with open(constants_rc, 'r') as f: + for line in f.readlines(): + if line.startswith('#') or not '=' in line \ + or not ('OVERHEAD' in line or 'HOPEFULLY' in line): + continue + for e in exclude: + if e in line: + break + else: + try: + mtu += int(line.split('=')[-1].strip()) + except ValueError: + logger.warning(f"Ignoring '{line.strip()}' for MTU calculation") + if not mtu: + logger.error(f"Unable to get MTU value from {constants_rc}") + sys.exit(255) + + return mtu + +def set_interface_mtu(interface: str, mtu: int) -> bool: + cmd_str = f"ip link set {interface} mtu {mtu}" + return not run_command_retcode(cmd_str.split()) + if __name__ == '__main__': parser = argparse.ArgumentParser(description='CBMA standalone parameters') @@ -101,6 +129,17 @@ def destroy_batman(batman: str) -> None: certificates = CBMACertificates(cert_dir, key, chain, ca) is_upper = args.upper or any('bat' in i and glob(f"/sys/class/net/*/upper_{i}") for i in interfaces) + + mtu_base = get_mtu_from_constants_rc(exclude=['OVERHEAD']) + mtu_overhead = get_mtu_from_constants_rc(exclude=['HOPEFULLY']) + if not is_upper: + mtu_overhead *= 2 + mtu = mtu_base + mtu_overhead + + for i in interfaces: + if not set_interface_mtu(i, mtu): + sys.exit(255) + enable_macsec_encryption = is_upper try: controller = CBMAController(args.port, @@ -113,7 +152,7 @@ def destroy_batman(batman: str) -> None: sys.exit(255) if not (existing_batman := f"/sys/class/net/{args.batman}" in glob("/sys/class/net/*")): - mac = get_interface_locally_administed_mac(interfaces[0]) + mac = get_interface_locally_administered_mac(interfaces[0]) create_batman(args.batman, mac) try: logger.info(f"Adding {interfaces} to the CBMAController") diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/unittests/test_secure_socket.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/unittests/test_secure_socket.py index 4dd4e0f3..15f6227b 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/unittests/test_secure_socket.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/unittests/test_secure_socket.py @@ -1,7 +1,10 @@ import os +import sys from OpenSSL import SSL +sys.path.insert(0, os.path.normpath(os.path.join(os.path.dirname(__file__), os.pardir))) + from secure_socket.secure_socket import FileBasedSecureSocket from models.certificates import CBMACertificates diff --git a/modules/sc-mesh-secure-deployment/src/nats/cbma/utils/networking.py b/modules/sc-mesh-secure-deployment/src/nats/cbma/utils/networking.py index 61b99b16..3c3c995d 100644 --- a/modules/sc-mesh-secure-deployment/src/nats/cbma/utils/networking.py +++ b/modules/sc-mesh-secure-deployment/src/nats/cbma/utils/networking.py @@ -1,13 +1,12 @@ from struct import Struct from ipaddress import IPv6Address -from . import logging, common +from . import common LLA_PREFIX = 'fe80' pack_ipv6 = Struct('!16s').pack -logger = logging.get_logger() def get_interface_mac_address(interface: str) -> str: