I can guarantee that.
The traffic is showing up on other devices on the network. Devices that have a working setup (23.05 or Ubuntu) react to the traffic and respond to it.
Out path works.
I'll work on the capture so I can share it but I think this is the case. tcpdump -e -i br-lan (or lan1) shows multicasts from other devices on the network - MAC address corresponds to the working 23.05 router or to an Ubuntu working install.
Presumably you have backported/compiled your own fork of 23.05 for this.
I would guess the netatalk package has config options for atalkd to specify the network interface to use.
The problem is that the bridge, with DSA, is not an interface, rather it is a device.
Try specifying one of the bridge device interfaces eg lan1 instead of eg br-lan
Run brctl show and pick one.
That makes it sound shady. No, not calling anyone into the back alley, just trying to focus the discussion.
I maintain the netatalk package. It is officially in Snapshot and in 24.10. I am hoping to get it backported to 23.05 where it works (PR open), in the meantime I have the netatalk package built for 23.05 with the official SDK. That is the userspace piece.
I opened a PR (now merged) to get the appletalk module back into OpenWrt. It's on snapshot now in standard images. PR open to backport to 24.10. Maybe to 25.05 after? That's the kernel piece.
I use a custom 23.05 image which is identical in config to the official one plus the change in kernel build scripts (modules/netsupport) to include building the appletalk module for 23.05 (details in PR).
I am also in contact with upstream netatalk but I am not part of their team.
That's probably more confusing than anything else I've sent. To summarize, I have:
Snapshot official image - nothing custom built - not working (ipq806x and ath97)
24.10 quasi-official image (at head) - netatalk official build - not working (ipq806x and ath97)
23.05 quasi-official image (at 23.05 tag) - SDK netatalk built - working (ipq806x and ath97)
Ubuntu with build from netatalk upstream tarball - working.
Also built a bunch of other images at different commit points and that's how I'm certain the change to DSA broke this. That's on the openwrt issue I have open.
What that means is that replicating this is easy:
flash snapshot, install netatalk, run atalkd with defaults
do the same thing on a second device (for two devices ignoring each other), or better yet, build netatalk on linux (which will work) and have it interact with the snapshot OpenWt device.
No doubt I need a new hobby.
Tried.
root@TestWrt-63:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.c47154053a77 no lan4
lan2
lan3
lan1
Doesn't matter if atalkd runs against br-lan, lan1, or even eth1. Same behaviour.
I don't discount that. But put the other way around, DSA breaks this.
If some config voodoo can unbreak it, or (again, I know, long shot) some change to how OpenWrt enabled DSA allows for this to work, I'd be happy.
This might be a symptom of an underlying issue with DSA.
I would agree the priority of it is below rock bottom but it still matters to me.
Hunting for ideas... like that one:
With that in mind I'll poke at the module's code to at least add debugging all over.
can see
ββββββββββ outgoing
β βββββββββ ββββββββββββ
β β β
βΌ βΌ βΌ
βββββ βββββ βββββ
β β β β β β
β a ββββΊβ b ββββββββLANβββββββββΊβ o β
β t β β r β β t β
β a β β - β β h β
β l β β l β β e β
β k β β a β β r β
β d β β n ββββββββLANββββββββββ€ β
β β β β β β
βββββ βββββ βββββ
β² β² β²
β β β
nothing βββββββββ can see ββββββ
from outside incomming
And yes... it's probably the module or atalkd... but an image built at the commit prior the device migrated to DSA works beautifully. Image built at commit when device migrated to DSA behaves like this.
I'm looking for a "C for DSA dummies" text I can read that describes how a socket on an interface needs to be changed to keep socketing on a DSA switch. Bit unfair; I would have expected DSA not to impose code changes to daemon/module code and for this to be caused by some decision to have OpenWrt just DSA IP traffic or something like that.
Yes. The only ethernet cable plugged into this thing is on lan1. If anything is coming into this box, it's through lan1.
Maybe this is relevant then? lan1 sees it coming in, but it's not a "multicast" because it's weird 802.3 packet and not the usual ethertype IPv4? It's almost like the switch didn't know what to do with 09:00:07:ff:ff:ff or a 802.3 packet.
I mean the frame is already "in" after its received on the CPU port, is it not? Landing the frame on lan1 I would imagine is just a case of updating the interface pointer in skb to point to lan1 (after peeling the switch's proprietary tag that says something akin to "this one is inbound for lan1").
Hmm should we not see drops in the interface statistics somewhere, if the frame is weird and gets dropped?
Ugh, I want to see the frame but I don't want to compile software right now haha
Hm, I briefly considered if some ethertype confusion could arise during the second pass through netif_receive_skb(). But at least on my box the ethertypes used are different.
Would have been really odd too. If one could trigger an extra netif_receive_skb() loop or a spurious detag, that would also mean you could inject frames that spoof coming from an arbitrary switch port.
Btw, did you dissect the frame captured on lan1 to verify that it looks identical to the one the Ubuntu machine sent?
You should have said so in the first place
I am surprised though that the PR was accepted without a uci config...
What do you have in your /etc/afp.conf file?
It is a long time since I had to use afp for anything and I do not have any Apple products for testing, but my OpenSuse Laptop should be able to see an afp server so I will try a few things.
Normally on OpenWrt with DSA, to add support for a new protocol, you would load a suitable kmod and then create an interface to use the protocol, using a supporting utility.
Then add that new interface to a bridge.
A typical example is vxlan layer 2 tunnelling, where a vxlan interface is created using ip-full. For example on my test router:
root@meshnode-16ad:/etc# ip -d link show vxlan69
16: vxlan69: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-tun69 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 96:83:c4:18:16:ad brd ff:ff:ff:ff:ff:ff promiscuity 1 allmulti 1 minmtu 68 maxmtu 65535
vxlan id 69 group ff02::69 local fe80::9683:c4ff:fe17:16ad dev br-lan srcport 0 0 dstport 4789 ttl 5 ageing 300
and:
root@meshnode-16ad:/etc# brctl show
bridge name bridge id STP enabled interfaces
br-tun69 7fff.9683c41816ad no vxradio0
vxlan69
br-lan 7fff.9483c41716ad yes phy0-ap0
eth0.1
m-11s-0
There is no utility I am aware of that will create an afp interface, so I would expect the afpd to do this as it starts.
This will be expected by DSA as far as I can see.
Another thing, reading the netatalk documentation/man, it is all biassed towards tcp/ip layer 3 rather than the ancient/original layer 2 implementation.
My guess is configuring with the router's ipv6 ula would be more appropriate as listener address...
Just thinking out loud.....
I can't say I know everything I should be doing. If we need that, I'll eventually get it done.
That's AFP (Apple Filing Protocol). That can go on IP. And it works. That's what started this for me. I needed afpd working for Time Machine for a High Sierra Mac (High Sierra and before can do Samba shares but cannot use TM on them). We can poke at that but that's not this problem. It works on DSA no issues. It's IP.
This is about DDP or AppleTalk which was the layer 3 protocol for Macs that don't do IP (System 6 or older, System 7-9 without Open Transport, supported up to Lion I think so 10.7). In that case afpd is reached through a DDP port. afpd registers itself on atalkd, and clients talk DDP to atalkd.
I have a test setup with a System 9 PPC Mac VM speaking DDP to the afpd server in the OpenWrt 23.05 install. Works. Goes through wireless and unmanaged switches no problem (I don't have any managed ones). I've seen howto's on how to share a LaserWriter with this, relying on netatalk v2. There is little but some niche demand for this. Someone actually sells an IP gateway for localtalk.
For sure. I used to run Suse. Good memories.
If you are running Snapshot or 24.10, just pull netatalk from OpenWrt downloads for afpd. It is all userspace. The Snapshot package might just work in 23.05 provided dependencies are met (libevent, bdb47, libgcrypt). If not, packages repo has the Makefile and the service file so it is straightforward to build on a OpenWrt SDK.
To fight this DDP thing with OpenSuse, you would need to clone netatalk's repo or get their tarball and build on OpenSuse. It's a straightforward quick build. You will get an atalkd for your platform, and that can be run from shell. OpenSuse should have the appletalk module in their distro (you can modprobe it to check, Ubuntu does). If atalkd is running then afpd will open a port on it and register itself. If you are running snapshot, you can apk add kmod-appletalk. With the netatalk package that will give you the full set for DDP on the router.
As for running the System 9 VM on qemu, it took me a while but it's not complicated. If that's your thing I'll share details. I plan on documenting all this stuff on the OpenWrt wiki one day.
kmod-appletalk
Hmmm... that should be atalkd. And that's what's missing I guess. atalkd before just opened a socket on the interface and it was good to go. If DSA requires a new interface to be created, that's net new. Some of it will fall on atalkd and some other on the kext. This will be fun.
I can see why you need a new interface for a tunnel. Or for a virtual adapter (tap). But for this? I don't see every other daemon (like odhcpd or dnsmasq) creating an interface to get traffic out of the bridge. Those get out of jail free because it's IPv4/v6? More reading to do.
Yeah, because the original layer 2 stuff dropped on netatalk 3... so September 2012? It's back as of this year. Like sun spots... 12 year cycle, I guess.
For the layer 3 stuff you are good to go, even on 23.05 if you build netatalk with the SDK.
For that ancient stuff... I think I'm almost there (maybe bridge family on nftables? maybe poke at the kmod to see where it is dropping the ball?).
Layer 2 or layer 3, it is all the same to the bridge (as layer 3 sits on top of layer 2).
What is missing is protocol support on an interface of the bridge device.
If that was available, the afp service would be able to pick up requests and send on the bridge, but it cannot.
They already have interfaces with ip protocol support, so yes they get out of jail free!
afp service will pick up requests because it is IP enabled. That one works right off.
For AppleTalk file sharing (or afp through DDP and not IP) the atalkd and kernel module are needed.
I'll poke around to figure out what is missing so protocol support is added to the existing interfaces as happens for IP.
It's just complicated to juggle all the different builds for this to happen.
or tcpdump ... -s0 -w /tmp/my.pcap and open on another machine with wireshark already installed.
Hmm just looked up what is needed to run ftrace / bpftrace / etc and stick ones nose in net / skb / sock functions and sniff around. From Brendan Gregg's excellent homepage: