Date: Tue, 16 Nov 2021 12:44:40 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 259879] enabling PF blocks multicast/igmp sendto Message-ID: <bug-259879-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259879 Bug ID: 259879 Summary: enabling PF blocks multicast/igmp sendto Product: Base System Version: 12.2-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: johan@stromnet.se While trying to get multicast routing to work on my FreeBSD 12.2-based rout= er. I tried with mrouted, then igmpproxy, them pimd.. The latter two actually s= hows errors, mrouted did not. In any case, I never got the machine to send out a= ny IGMP join packets, nor pick up any IGMP join's from local nodes. On another machine, where I ran basic socat test (see below), the machine d= id never produce any IGMP Join packets. Trying the same on a linux machine wor= ked fine. At least one other person have had these issues with pimd, but probably not related to pimd: https://github.com/troglobit/pimd/issues/171 After doing tests on clean VMs, I've nailed it down to PF. Having pf just enabled, even with blank rules, seems to block outbound multicast/igmp some= how. Reproducable: 1. Launch blank VM with FreeBSD 12.2 or 13.0 qcow image in KVM: 2. Prepare: pkg install pimd truss=20 kldload ip_mroute 3. Launch pimd, working with no errors: root@freebsd:~ # pimd -f ^C=20 4. Enable pf (blank, no rules): root@freebsd:~ # pfctl -e root@freebsd:~ #=20 5. Now trying to use pimd, gives failures to send: root@freebsd:~ # pimd -f pimd: 12:30:03.170 Sendto to 224.0.0.1 on 172.28.6.15: Permission denied 6. Disable pf again and it works fine again... 7. truss output (from socket creation to sendto failure) with pf enabled (b= ut no rules at all): socket(PF_INET,SOCK_RAW,IPPROTO_IGMP) =3D 4 (0x4)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_HDRINCL,0x7fffffffe6dc,4) =3D 0 (0x0)=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,SOL_SOCKET,SO_SNDBUF,0x7fffffffe6bc,4) =3D 0 (0x0)=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,SOL_SOCKET,SO_RCVBUF,0x7fffffffe6bc,4) =3D 0 (0x0)=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_MULTICAST_TTL,0x7fffffffe6df,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_MULTICAST_LOOP,0x7fffffffe6d7,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 socket(PF_INET,SOCK_RAW,IPPROTO_PIM) =3D 5 (0x5)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,IPPROTO_IP,IP_HDRINCL,0x7fffffffe6dc,4) =3D 0 (0x0)=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,SOL_SOCKET,SO_SNDBUF,0x7fffffffe6bc,4) =3D 0 (0x0)=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,SOL_SOCKET,SO_RCVBUF,0x7fffffffe6bc,4) =3D 0 (0x0)=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,IPPROTO_IP,IP_MULTICAST_TTL,0x7fffffffe6df,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,IPPROTO_IP,IP_MULTICAST_LOOP,0x7fffffffe6d7,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 mmap(0x0,135168,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 34366= 939136 (0x8006de000) mmap(0x0,135168,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 34367= 074304 (0x8006ff000) socket(PF_ROUTE,SOCK_RAW,0) =3D 6 (0x6)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 fcntl(6,F_SETFL,O_RDONLY|O_NONBLOCK) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 socket(PF_INET,SOCK_DGRAM,0) =3D 7 (0x7)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFCONF,0x7fffffffe690) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFFLAGS,0x7fffffffe6a0) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFNETMASK,0x7fffffffe6a0) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFMTU,0x7fffffffe6a0) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFFLAGS,0x7fffffffe6a0) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 open("/usr/local/etc//pimd.conf",O_RDONLY,0666) =3D 8 (0x8)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 fstat(8,{ mode=3D-rw-r--r-- ,inode=3D321234,size=3D6435,blksize=3D32768 }) = =3D 0 (0x0)=20=20=20=20 mmap(0x0,36864,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 343672= 09472 (0x800720000)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 read(8,"# Exmaple configuration file for"...,32768) =3D 6435 (0x1923)=20=20= =20=20=20=20=20=20=20=20=20=20=20 read(8,0x8007204c0,32768) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 close(8) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,100,0x7fffffffe6dc,4) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,107,0x7fffffffe6dc,4) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 getrandom("\M-2\f\M-M\M-@\M-7\^\ \M-jU\v"...,40,0) =3D 40 (0x28)=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 mmap(0x0,1104,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3436724= 6336 (0x800729000)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20 minherit(0x800729000,1104,INHERIT_ZERO) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,102,0x7fffffffe698,16) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,IPPROTO_IP,IP_ADD_MEMBERSHIP,0x7fffffffe698,8) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_ADD_MEMBERSHIP,0x7fffffffe698,8) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_ADD_MEMBERSHIP,0x7fffffffe698,8) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_MULTICAST_IF,0x7fffffffe5c8,4) =3D 0 (0x0)=20=20= =20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_MULTICAST_LOOP,0x7fffffffe5c7,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 sendto(4,"F\M-@\0$\0\0\0\0\M^?\^B\0\0\M-,"...,36,0,{ AF_INET 224.0.0.1:0 },= 16) ERR#13 'Permission denied'=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20 Another test case, with socat: 1. Disable pf on FreeBSD machine (172.28.6.15) 2. Start tcpdump on another machine in same network. 3. Start socat on freebsd machine: socat -d -d -u UDP4-RECV:5568,ip-add-membership=3D239.255.0.100:172.28.6= .15 /dev/null 4. Check tcpdump output on another machine, you can see the IGMP Joins 13:40:29.226382 IP 172.28.6.15 > 224.0.0.22: igmp v3 report, 1 group record(s) 5. Enable pf (blank rules), run socat again. No IGMP traffic whatsoever see= n on remote machine. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259879-227>