Re: pf(4) drops valid IGMP/MLD messages

Thu, 02 Mar 2023 23:55:32 -0800 

Hi, just another bit of info about this issue.

I've installed from github the newest version of mrouted on a Linux machine.

Just like the built-in OpenBSD's version of mrouted, this github version
sends DVMRP Prune messages
with IP Destination Address = Unicast Address of the adjacent router, and
TTL=255.

Here you can find a tcpdump:
08:49:19.363829 IP (tos 0xc0, ttl 255, id 52275, offset 0, flags [none],
proto IGMP (2), length 44, options (RA))
    10.0.12.101 > 10.0.12.1: igmp dvmrp Prune src 10.254.2.0 grp
239.255.255.42 timer 1h47m2s

Best regards,
Luca

Il giorno mar 28 feb 2023 alle ore 15:39 Alexandr Nedvedicky <
[email protected]> ha scritto:

> Hello Matthieu,
>
> </snip>
>
> On Tue, Feb 28, 2023 at 02:05:50PM +0100, Matthieu Herrb wrote:
> > > --- a/sys/net/pf.c
> > > +++ b/sys/net/pf.c
> > > @@ -6846,8 +6846,12 @@ pf_walk_header(struct pf_pdesc *pd, struct ip
> *h, u_short *reason)
> > >     pd->proto = h->ip_p;
> > >     /* IGMP packets have router alert options, allow them */
> > >     if (pd->proto == IPPROTO_IGMP) {
> > > -           /* According to RFC 1112 ttl must be set to 1. */
> > > -           if ((h->ip_ttl != 1) || !IN_MULTICAST(h->ip_dst.s_addr)) {
> > > +           /*
> > > +            * According to RFC 1112 ttl must be set to 1 in all IGMP
> > > +            * packets sent do 224.0.0.1
> > > +            */
> > > +           if ((h->ip_ttl != 1) &&
> > > +               (h->ip_dst.s_addr == INADDR_ALLHOSTS_GROUP)) {
> > >                     DPFPRINTF(LOG_NOTICE, "Invalid IGMP");
> > >                     REASON_SET(reason, PFRES_IPOPTIONS);
> > >                     return (PF_DROP);
> > >
> >
> >
> > Hi,
> >
> > The expression look wrong to me again.
> > I read in RFC1112 that correct packets should have:
> >
> >   (h->ip_ttl == 1 && h->ip.ip_dst.s_addr == INADDR_ALLHOST_GROUP)
>
>     the expression above is true for for Query/Report messages
>     which are a sub-set of IGMP protocol. See Luca's emails with
>     references to RFCs which further extend IGMP protocol.
>
>     here in this particular place (pf_walk_header()) I think we really
>     want to simply discard all IGMP datagrams sent to 224.0.0.1 with TTL
>     different to 1.  anything else should be passed further up and let
> pf(4)
>     rules to make a decision on those cases.
>
> thanks and
> regards
> sashan
>

Reply via email to