Viewing the thread at https://marc.info/?l=openbsd-cvs&m=165158473312045&w=2 I think that the problem is with TTL and Destination Address. "MLD/IGMP messages with ttl other than 1 will be discarded" "IGMP messages with destination address other than multicast class will be discarded.
Prune messages (and maybe Graft and Graft-Ack messages as well) are sent by mrouted with TTL>1 (actually, 255). And Destination Address is the unicast address of the adiacent Multicast Router. tcpdump -vvv -n -i wg1112 igmp: 10.11.12.1 > 10.11.12.2: igmp dvmrp Prune src 10.0.12.0 grp 239.12.0.1 timer 556 (ttl 255, id 58191, len 40) I think that, at least for DVMRP (don't know for other protocols related to multicasting), the blocking logic should be based only on the Type's value of the IGMP Header. RFC 1075: "The type for DVMRP is 3." --> Logic in PF: If IGMP Type is 3 Then pass <--- not based on TTL and not based on Destination Address Il giorno gio 23 feb 2023 alle ore 15:15 Luca Di Gregorio <luc...@gmail.com> ha scritto: > Thanks Brian, > > https://www.openbsd.org/72.html says: > "pf(4) automatically allows IGMP and ICMP6 MLD packets with the router > alert option. Special allow-opts rules are no longer needed for multicast > discovery." > > This is true for some igmp dvmrp Probe, igmp dvmrp Report, igmp > join/leave, igmp query. > > As far as I know, in dvmrp there are at least 3 more control messages: > igmp dvmrp Prune > igmp dvmrp Graft > igmp dvmrp Graft-Ack > > These other control messages should not be blocked by PF, they should pass > just like Probe and Report. > > I'm not expert in .c code, so I can't say where the code should be modified > > Il giorno gio 23 feb 2023 alle ore 14:51 Brian Conway < > bcon...@rcesoftware.com> ha scritto: > >> On Thu, Feb 23, 2023, at 2:22 AM, Luca Di Gregorio wrote: >> > Synopsis: PF still blocks IGMP multicast control packets >> > Category: system >> > Environment: >> > System : OpenBSD 7.2 >> > Details : OpenBSD 7.2 (GENERIC) #6: Sat Jan 21 01:01:28 MST >> 2023 >> > r...@syspatch-72-amd64.openbsd.org: >> > /usr/src/sys/arch/amd64/compile/GENERIC >> > >> > Architecture: OpenBSD.amd64 >> > Machine : amd64 >> > >> > Description: >> > In https://www.openbsd.org/plus72.html it is stated that: >> > "Changed pf(4) handling of IGMP and ICMP6 MLD packets to allow multicast >> > control >> > packets to work by default." >> > But, with PF enabled, igmp dvmrp Prune messages between two mrouted's >> are >> > still blocked. >> >> If it's helpful, here are the discussion threads on the topic: >> >> https://marc.info/?t=165056102400001 >> https://marc.info/?t=165064941500001 >> https://marc.info/?t=165152723000003 >> https://marc.info/?t=165153057300001 >> >> And the commits: >> >> https://marc.info/?l=openbsd-cvs&m=165122269521134&w=2 >> https://marc.info/?l=openbsd-cvs&m=165158473312045&w=2 >> >> I can't speak to which option/packet combinations are blocked and which >> are not, I was just happy to no longer need extra rules to quiet the >> (option) logging. >> >> Brian Conway >> >>
