Merge pull request #463 from tiiuae/upgrade-cbma-to-v0.1.7

Author: TIISR

modules/sc-mesh-secure-deployment/src/nats/cbma/README.md

@@ -19,16 +19,6 @@ ip link set wlp1s0 up
 # Connect wlp1s0 to the mesh if it isn't - Need a working wpa_supplicant_11s.conf
 wpa_supplicant -i wlp1s0 -c wpa_supplicant_11s.conf -D nl80211 -B
 
-# Prepare lower-batman interface (using wlp1s0 locally administered MAC)
-ip link del bat0 2>/dev/null
-ip link add name bat0 type batadv
-ip link set bat0 address $(read a < /sys/class/net/wlp1s0/address && printf "%02x${a:2}\n" $(( 0x${a:0:2} ^ 0x2 )))
-ip link set bat0 up
-
-# Create upper-batman inteface
-ip link del bat1 2>/dev/null
-ip link add name bat1 type batadv
-
 # Install Python dependencies - Recommended to create + activate a venv before
 $ python3 -m pip install -r requirements.txt
 
@@ -45,6 +35,17 @@ $ python3 standalone.py -i wlp1s0          # Runs lower-CBMA by default
 $ python3 standalone.py -i bat0 -b bat1    # Add -u if lower-CBMA wasn't established beforehand
 # NOTE: if bat0 doesn't have the same MAC as any of its attached interfaces (like LA wlp1s0 one)
 #       you will have to generate certificates for it as a workaround
+
+# Optional - Now done automatically by standalone.py
+#   Prepare lower-batman interface (using wlp1s0 locally administered MAC)
+ip link del bat0 2>/dev/null
+ip link add name bat0 type batadv
+ip link set bat0 address $(read a < /sys/class/net/wlp1s0/address && printf "%02x${a:2}\n" $(( 0x${a:0:2} ^ 0x2 )))
+ip link set bat0 up
+
+#   Create upper-batman inteface
+ip link del bat1 2>/dev/null
+ip link add name bat1 type batadv
 ```
 
 

modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION

@@ -1,4 +1,4 @@
-GIT_VERSION=v0.0.0-old_requirements_fixes
-GIT_SHA=261e1b95dbe8a8a99af7cb56ad7abac90fd26884
-EPOCH_TIMESTAMP=1714545575
-PRECISE_DATE_TIMESTAMP="2024-05-01 - 06:39:35.164044574"
+GIT_VERSION=v0.1.7-old_requirements_fixes
+GIT_SHA=2b333ce8b4308663fd7901d87add93b731314f56
+EPOCH_TIMESTAMP=1717686203
+PRECISE_DATE_TIMESTAMP="2024-06-06 - 15:03:23.866091572"

modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_bridge.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 
-export SCN='/sys/class/net'
+source "${BASH_SOURCE%/*}/constants.rc"
 
 cleanup_bridge_if_needed()
 {

modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/cleanup_mess.sh

@@ -1,9 +1,7 @@
-#! /bin/bash
+#!/bin/bash
 
 
-
-export SCN='/sys/class/net'
-
+source "${BASH_SOURCE%/*}/constants.rc"
 
 cleanup_macscbpad_interface()
 {
@@ -33,6 +31,7 @@ cleanup_macsec_interface()
 
 cleanup_macvlan_interface()
 {
+	[ -e "$SCN/$MACVLAN_NAME" ] || return 0
 	cleanup_macscbub_interface
 	cleanup_macsec_interface
 	ip link delete "$MACVLAN_NAME"

modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/constants.rc

@@ -2,7 +2,7 @@
 export MACSEC_OVERHEAD=16
 
 # needs more testing, an overhead of 32 might even occur if batman-adv uses 4 address mode
-export BATMAN_OVERHEAD=24
+export BATMAN_OVERHEAD=48
 
 export HOPEFULLY1500=1500
 export SCN='/sys/class/net'

modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/mess/create_mess.sh

@@ -178,7 +178,7 @@ random_mac_address()
 
 create_macvlan_interface()
 {
-	if ! ip link add link "$BASE_INTERFACE_NAME" name "$MACVLAN_NAME" address "$LOCAL_MAC" mtu "$MACVLAN_MTU" type macvlan mode source bcqueuelen 0 \
+	if ! ip link add link "$BASE_INTERFACE_NAME" name "$MACVLAN_NAME" address "$LOCAL_MAC" mtu "$MACVLAN_MTU" type macvlan mode source nodst bcqueuelen 0 \
 	|| ! ip link set link dev "$MACVLAN_NAME" type macvlan macaddr add "$REMOTE_MAC"; then
 		return `false`
 	fi
@@ -216,12 +216,12 @@ create_macvlan_interface()
 create_bridge_if_needed()
 {
 	if [ ! -e "$SCN/$MACBR_NAME/bridge" ]; then
-		>&2 echo "Error: creation has been moved to create_bridge.sh, $MACBR_NAME should exist"
-		return `false`
+		>&2 echo "WARN: $MACBR_NAME doesn't exist when it should, recreating it but something is misbehaving"
+		"${BASH_SOURCE%/*}/create_bridge.sh" "$L_OR_U" "$BASE_INTERFACE_NAME" || return $?
 	fi
 	create_macvlan_interface || return `false`
 	REMOTE_EUI64=`mac_to_eui64 "$REMOTE_MAC"`
-        REMOTE_LLA="fe80::$REMOTE_EUI64"
+	REMOTE_LLA="fe80::$REMOTE_EUI64"
 	ip neigh replace "$REMOTE_LLA" lladdr "$REMOTE_MAC" dev "$MACBR_NAME"
 }
 

modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/run_simulation.sh

@@ -7,7 +7,7 @@ KEYPAIR_TYPE="rsa"    # Can be ecdsa, eddsa, or rsa
 
 DEFAULT_LOG_LEVEL="INFO"
 
-BASE_MTU="1400"
+BASE_MTU="1500"
 
 CBMA_DEBUG=0
 BAT_DEBUG=0
@@ -104,8 +104,7 @@ setup_wlan() {
     # ip netns exec "$I" ip link set dev "$WLAN" name "wlp1s${I}"
     # ip netns exec "$I" iw dev "wlp1s${I}" set type mesh
 
-    # NOTE - No need to set MTU for now
-    # ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + 80))
+    ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + 80))
 
     ip netns exec "$I" ip link set dev "wlp1s${I}" address "00:20:91:0${I}:0${I}:0${I}"
     ip netns exec "$I" ip link set dev "wlp1s${I}" up
@@ -126,7 +125,7 @@ setup_eth() {
     ip link add "$ETH" type veth peer name "eth${I}" netns "$I"
 
     # NOTE - No need to set MTU for now
-    # ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108))
+    ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108))
     ip netns exec "$I" ip link set dev "eth${I}" address "00:20:91:${I}0:${I}0:${I}0"
 
     ip link set "$ETH" up

modules/sc-mesh-secure-deployment/src/nats/cbma/scripts/upgrade_cbma.sh

@@ -47,6 +47,7 @@ cleanup_mdm_agent_files() {
     command ssh ${ID_RSA:+-i "$ID_RSA"} $SSH_OPTIONS "root@$IP" bash <<-EOF || exit 6
 			rm -f /opt/certs_uploaded
 			rm -rf /opt/certs || :
+			rm -rf /opt/mdm || :
 		EOF
 }
 
@@ -122,6 +123,6 @@ fi
 stop_mdm_agent "$IP" "$ID_RSA"
 cleanup_logs "$IP" "$ID_RSA"
 cleanup_mdm_agent_files "$IP" "$ID_RSA"
-upgrade_cbma "$CBMA" "$IP" "$ID_RSA"
+# upgrade_cbma "$CBMA" "$IP" "$ID_RSA"
 # upgrade_birthcerts "$IP" "$ID_RSA"
 start_mdm_agent "$IP" "$ID_RSA"

modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py

@@ -1,3 +1,4 @@
+import os
 import sys
 import argparse
 
@@ -14,8 +15,9 @@
 
 
 BATMAN_ROUTING_ALG = 'BATMAN_V'
+CBMA_ROOT = os.path.normpath(os.path.dirname(__file__))
 
-def get_interface_locally_administed_mac(interface: str) -> str:
+def get_interface_locally_administered_mac(interface: str) -> str:
     mac = get_interface_mac_address(interface)
     mac_bytes = bytearray.fromhex(mac.replace(':', ''))
     mac_bytes[0] ^= 0x2  # Locally administered bit
@@ -35,6 +37,32 @@ def destroy_batman(batman: str) -> None:
     destroy_batman_str = f"ip link del {batman}"
     run_command_retcode(destroy_batman_str.split())
 
+def get_mtu_from_constants_rc(exclude: list[str] = []) -> int:
+    mtu = 0
+    constants_rc = f"{CBMA_ROOT}/scripts/mess/constants.rc"
+    with open(constants_rc, 'r') as f:
+        for line in f.readlines():
+            if line.startswith('#') or not '=' in line \
+               or not ('OVERHEAD' in line or 'HOPEFULLY' in line):
+                continue
+            for e in exclude:
+                if e in line:
+                    break
+            else:
+                try:
+                    mtu += int(line.split('=')[-1].strip())
+                except ValueError:
+                    logger.warning(f"Ignoring '{line.strip()}' for MTU calculation")
+    if not mtu:
+        logger.error(f"Unable to get MTU value from {constants_rc}")
+        sys.exit(255)
+
+    return mtu
+
+def set_interface_mtu(interface: str, mtu: int) -> bool:
+    cmd_str = f"ip link set {interface} mtu {mtu}"
+    return not run_command_retcode(cmd_str.split())
+
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='CBMA standalone parameters')
@@ -101,6 +129,17 @@ def destroy_batman(batman: str) -> None:
     certificates = CBMACertificates(cert_dir, key, chain, ca)
 
     is_upper = args.upper or any('bat' in i and glob(f"/sys/class/net/*/upper_{i}") for i in interfaces)
+
+    mtu_base = get_mtu_from_constants_rc(exclude=['OVERHEAD'])
+    mtu_overhead = get_mtu_from_constants_rc(exclude=['HOPEFULLY'])
+    if not is_upper:
+        mtu_overhead *= 2
+    mtu = mtu_base + mtu_overhead
+
+    for i in interfaces:
+        if not set_interface_mtu(i, mtu):
+            sys.exit(255)
+
     enable_macsec_encryption = is_upper
     try:
         controller = CBMAController(args.port,
@@ -113,7 +152,7 @@ def destroy_batman(batman: str) -> None:
         sys.exit(255)
 
     if not (existing_batman := f"/sys/class/net/{args.batman}" in glob("/sys/class/net/*")):
-        mac = get_interface_locally_administed_mac(interfaces[0])
+        mac = get_interface_locally_administered_mac(interfaces[0])
         create_batman(args.batman, mac)
     try:
         logger.info(f"Adding {interfaces} to the CBMAController")

modules/sc-mesh-secure-deployment/src/nats/cbma/unittests/test_secure_socket.py

@@ -1,7 +1,10 @@
 import os
+import sys
 
 from OpenSSL import SSL
 
+sys.path.insert(0, os.path.normpath(os.path.join(os.path.dirname(__file__), os.pardir)))
+
 from secure_socket.secure_socket import FileBasedSecureSocket
 from models.certificates import CBMACertificates
 

modules/sc-mesh-secure-deployment/src/nats/cbma/utils/networking.py

@@ -1,13 +1,12 @@
 from struct import Struct
 from ipaddress import IPv6Address
 
-from . import logging, common
+from . import common
 
 
 LLA_PREFIX = 'fe80'
 
 pack_ipv6 = Struct('!16s').pack
-logger = logging.get_logger()
 
 
 def get_interface_mac_address(interface: str) -> str: