Synopsis: PF still blocks IGMP multicast control packets
Category: system
Environment:
System : OpenBSD 7.2
Details : OpenBSD 7.2 (GENERIC) #6: Sat Jan 21 01:01:28 MST 2023
r...@syspatch-72-amd64.openbsd.org:
/usr/src/sys/arch/amd64/compile/GENERIC
Architecture: OpenBSD.amd64
Machine : amd64
Description:
In https://www.openbsd.org/plus72.html it is stated that:
"Changed pf(4) handling of IGMP and ICMP6 MLD packets to allow multicast
control
packets to work by default."
But, with PF enabled, igmp dvmrp Prune messages between two mrouted's are
still blocked.
Tests can be done with the default lines in /etc/pf.conf:
set skip on lo
block return
pass
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
If PF is disabled, with pfctl -d, then the igmp dvmrp Prune is not blocked.
How-To-Repeat:
Configure 2 OpenBSD with mrouted (mrouted1 and mrouted2).
rcctl set multicast status on
sysctl net.inet.ip.forwarding=1
echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
sysctl net.inet.ip.mforwarding=1
echo "net.inet.ip.mforwarding=1" >> /etc/sysctl.conf
cp /etc/examples/mrouted.conf /etc/mrouted.conf
Connection between mrouted1 and mrouted2 can be done with a gif interface.
Example of /etc/hostname.gif0:
mtu 1420
10.10.10.1 10.10.10.2 netmask 255.255.255.252
tunnel <IP_mrouted1> <IP_mrouted2>
Architecture:
generator -- wg1 --> mrouted1 <-- gif0 --> mrouted2 -- wg2 --> receiver
wg1 and wg2 can be wireguard interfaces. Or, they can be tun, gif, gre, ...
interfaces.
wg1 is 10.0.12/24.
Commands to reproduce, with PF enabled on mrouted2:
On mrouted1: mrouted -d3
On mrouted2: mrouted -d3
On generator: iperf -c 239.12.0.1 -u -T 32 -t 300 -i 2 -b 10 -l 400
1 - generator sends 239.12.0.1
2 - mrouted1 receives 239.12.0.1
3 - mrouted1 forwards 239.12.0.1 to mrouted2
4 - mrouted2 tries to send a Prune to mrouted1 for 239.12.0.1
At step 4, in the debug of mrouted2 there is the warning:
warning - sendto to 10.10.10.1 on 10.10.10.2: Permission denied
SENT prune message from 10.10.10.2 to 10.10.10.1
sent prune for (10.0.12/24 239.12.0.1)/400 on vif 2 to 10.10.10.1
On mrouted2, with tcpdump -eni pflog0, this line is shown:
rule def/(ip-option) pass out on gif0: 10.10.10.2 >
10.10.10.1: igmp dvmrp Prune src 10.0.12.0 grp 239.12.0.1 timer 366
Test with PF disabled:
On generator: stop iperf
On mrouted1: stop mrouted
On mrouted2: stop mrouted
On mrouted1: disable PF with pfctl -d
On mrouted2: disable PF with pfctl -d
On mrouted1: mrouted -d3
On mrouted2: mrouted -d3
On generator: iperf -c 239.12.0.1 -u -T 32 -t 300 -i 2 -b 10 -l 400
No warning is shown in mrouted2 debug.
No lines are shown in mrouted2 pflog0.
Igmp dvmrp Prune messages are correctly sent.
Fix:
Maybe a fix on the code of pf(4) is needed to make the following:
"Changed pf(4) handling of IGMP and ICMP6 MLD packets to allow multicast
control
packets to work by default."
