Thanks Brian, https://www.openbsd.org/72.html says: "pf(4) automatically allows IGMP and ICMP6 MLD packets with the router alert option. Special allow-opts rules are no longer needed for multicast discovery."
This is true for some igmp dvmrp Probe, igmp dvmrp Report, igmp join/leave, igmp query. As far as I know, in dvmrp there are at least 3 more control messages: igmp dvmrp Prune igmp dvmrp Graft igmp dvmrp Graft-Ack These other control messages should not be blocked by PF, they should pass just like Probe and Report. I'm not expert in .c code, so I can't say where the code should be modified Il giorno gio 23 feb 2023 alle ore 14:51 Brian Conway < bcon...@rcesoftware.com> ha scritto: > On Thu, Feb 23, 2023, at 2:22 AM, Luca Di Gregorio wrote: > > Synopsis: PF still blocks IGMP multicast control packets > > Category: system > > Environment: > > System : OpenBSD 7.2 > > Details : OpenBSD 7.2 (GENERIC) #6: Sat Jan 21 01:01:28 MST > 2023 > > r...@syspatch-72-amd64.openbsd.org: > > /usr/src/sys/arch/amd64/compile/GENERIC > > > > Architecture: OpenBSD.amd64 > > Machine : amd64 > > > > Description: > > In https://www.openbsd.org/plus72.html it is stated that: > > "Changed pf(4) handling of IGMP and ICMP6 MLD packets to allow multicast > > control > > packets to work by default." > > But, with PF enabled, igmp dvmrp Prune messages between two mrouted's are > > still blocked. > > If it's helpful, here are the discussion threads on the topic: > > https://marc.info/?t=165056102400001 > https://marc.info/?t=165064941500001 > https://marc.info/?t=165152723000003 > https://marc.info/?t=165153057300001 > > And the commits: > > https://marc.info/?l=openbsd-cvs&m=165122269521134&w=2 > https://marc.info/?l=openbsd-cvs&m=165158473312045&w=2 > > I can't speak to which option/packet combinations are blocked and which > are not, I was just happy to no longer need extra rules to quiet the > (option) logging. > > Brian Conway > >
