On Fri, Mar 03, 2023 at 08:54:51AM +0100, Luca Di Gregorio wrote: > Hi, just another bit of info about this issue.
Instead of implementing more and more details of RFC, we should discuss what the goal is. We had a pf that dropped valid IGMP packets due to router-alert option. So I added code to pass them, but still block other options. This is neccessary for working multicast. Then sashan@ commited a diff that blocks packets with bad TTL or destination address. This was too strict for some use cases as we see now. But it may improve security. What are the IGMP illegal packets that an attacker might use? We should drop them. This IGMP logic is deep down in pf that a user cannot override. So we should be careful not to destroy valid use cases. Replacing || with && somehow in the if condition looks reasonalbe to me. bluhm
