From d50feeab07f2a0f81a50a985b70b6e7295d74350 Mon Sep 17 00:00:00 2001
From: Johannes Kimmel <fff@bareminimum.eu>
Date: Tue, 16 Feb 2021 07:56:44 +0100
Subject: [PATCH] fff-layer3-vxmesh: add babel MTU filters

A VXLAN Tunnel (IPv6, without inner VLAN tag) adds 70 bytes of overhead
to each packet. To support bridging our client interfaces with an MTU of
1500, VXLAN packets require a link with an MTU of 1570.

To avoid sending too large packets to peers over a link with an MTU less
than 1570, this patch adds filters to babel to ignore routes to peers
announced over small links.

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
---
 .../files/etc/layer3.d/60-vxmesh              | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/src/packages/fff/fff-layer3-vxmesh/files/etc/layer3.d/60-vxmesh b/src/packages/fff/fff-layer3-vxmesh/files/etc/layer3.d/60-vxmesh
index 7018a1e..f6deeb8 100644
--- a/src/packages/fff/fff-layer3-vxmesh/files/etc/layer3.d/60-vxmesh
+++ b/src/packages/fff/fff-layer3-vxmesh/files/etc/layer3.d/60-vxmesh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+. /lib/functions.sh
+
 configure() {
 	local proto
 	local peerip
@@ -92,6 +94,52 @@ configure() {
 		EOF
 	done
 
+	# learn routes to other peers only over babel interfaces with sufficient mtu
+	#   - according to the rfc, vxlan packets must not be fragmented by a VTEP
+	#   - the vxlan tunnel requires an mtu of 1570 when using ipv6
+	#
+	#  -> to avoid sending too large packets over an interface with too small mtu,
+	#     don't learn a route to a peer over that interface in the first place
+	babel_filter_mtu() {
+		local config="$1"
+		local otherpeers="$2"
+		local mtu
+		local ifname
+
+		case $config in
+			babelpeer*) ;;
+			wireguardpeer*) ;;
+			*) return ;;
+		esac
+
+		config_get mtu "$config" mtu
+		config_get ifname "$config" ifname
+
+		[ "${mtu:-0}" -ge "1570" ] && return
+		[ -z "${ifname}" ] && {
+			echo "WARNING: could not determine ifname from \"$config\""
+			return
+		}
+		for peer in $otherpeers; do
+			if ! uci -q batch > /dev/null; then
+				echo "FATAL: error adding babel filter for vxlan peer!"
+				echo "       peer: \"$peer\""
+				echo "       interface: \"$ifname\""
+				return 1
+			fi <<- EOF
+				add babeld filter
+				set babeld.@filter[-1].type="in"
+				set babeld.@filter[-1].ip="$peer"
+				set babeld.@filter[-1].if="$ifname"
+				set babeld.@filter[-1].addedbyautoconfig="true"
+				set babeld.@filter[-1].action="deny"
+			EOF
+		done
+	}
+
+	config_load network
+	config_foreach babel_filter_mtu interface "$otherpeers"
+
 	# with multiple routers in the network, there shouldn't be an authoritative
 	# dhcp server
 	uci set dhcp.@dnsmasq[0].authoritative="0"
@@ -103,9 +151,11 @@ configure() {
 apply() {
 	uci commit network
 	uci commit dhcp
+	uci commit babeld
 }
 
 revert() {
 	uci revert network
 	uci revert dhcp
+	uci revert babeld
 }