Date: Fri, 7 Aug 2020 15:25:25 +0200 From: Abelenda Diego <diego.abelenda@gmail.com> To: freebsd-net@freebsd.org Subject: Multicast issue, interface not leaving Mutlicast Group Message-ID: <20200807152525.711d4072@debian>
next in thread | raw e-mail | index | archive | help
--Sig_/.Rd5rh1W4J6Jz1Ls.wE0Tfa Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello, I have discovered that I had a multicast issue for years I did not know abo= ut. I use a FreeBSD (opnsense) setup as router for my home network and have= igmpproxy for IPTV. Somehow everything seems to work, until I realized tha= t my ISP was making a DoS with multicast. It is pretty much what was descri= bed years ago here: https://forum.netgate.com/topic/62591/igmp-issues-causi= ng-isp-to-perform-multicast-dos-on-my-pfsense/7. But the solution of not us= ing FreeBSD seem weird. So dug a lot learning about Multicast IGMPv{2,3} et= c in the process. Here is an abstract of what I found: igmpproxy is performing "correctly" in that it will act upon to IGMPv2 Join= request from the TV box by joining the multicast groups correctly. When the TV Box sends an IGMPv2 Leave request, igmpproxy will remove the so= urce IP from the multicast table on the interface (the code is here https:/= /github.com/pali/igmpproxy/blob/b7940fc75b36d5bcc3a07654fc1af76f179302a9/sr= c/mcgroup.c#L58-L60 this same call is used for joining and leaving). This is where things start to go awry, as the action igmpproxy takes is not= considered leaving the Multicast Group, so when the upstream multicast rou= ter sends an IGMPv3 Query, the Multicast Group is still listed in the IGMPv= 3 Report but in Exclude mode with the source listed in the excluded IPs. My ISP sees that the Group is still listed so it continues to send the mult= icast traffic apparently ignoring that the source is Excluded. Worst part is that killing igmpproxy changes nothing because the IGMPv3 Rep= ort is still sent (by the kernel I suppose since nothing should be running = anymore) and includes the Multicast Groups as before. The only thing that r= esets the state of the Group Membership is bringing down the interface and = reconfiguring it. Is this caused by a wrong "leave" handling by igmpproxy? (if yes is there a= n alternative ?) Is there any way to manually leaving Multicast Groups? I c= an see the Multicast forwarding table while igmpproxy is running with "nets= tat -g". I can also see the group membership state with "ifmcstat -i re1" b= ut I have found no way to actually modify the membership of the interface. Extra info: When igmpproxy is running I can see two different kinds of entries in the M= ulticast Forwarding Table. For a Multicast group that is currently "joined"= according to igmpproxy I can see a line something like: IPv4 Multicast Forwarding Table Origin Group Packets In-Vif Out-Vifs:Ttls 213.3.72.5 239.186.64.71 10763 2 For a multicast group that was previously joined but should not be anymore = I see: IPv4 Multicast Forwarding Table Origin Group Packets In-Vif Out-Vifs:Ttls 213.3.72.5 239.186.68.20 0 65535 =20 ifmcstat shows the multicast groups, with exclude mode set: # ifmcstat -i re1 re1: inet $MY_PUBLIC_IP igmpv3 rv 2 qi 30 qri 50 uri 3 group 239.186.64.71 mode exclude mcast-macaddr 01:00:5e:3a:40:47 group 239.186.70.37 mode exclude mcast-macaddr 01:00:5e:3a:46:25 group 239.186.68.242 mode exclude mcast-macaddr 01:00:5e:3a:44:f2 group 239.186.68.178 mode exclude mcast-macaddr 01:00:5e:3a:44:b2 group 239.186.68.20 mode exclude mcast-macaddr 01:00:5e:3a:44:14 group 239.186.68.3 mode exclude mcast-macaddr 01:00:5e:3a:44:03 [...] Best regards, Diego Abelenda --Sig_/.Rd5rh1W4J6Jz1Ls.wE0Tfa Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEhLBEGh6nN5+aat9KomT4UAfkGfgFAl8tVkUACgkQomT4UAfk GfgsWA/8DoIf5j+Gn4oaGMx5k0DiQNeuUbl25t+Y+XF20joyet1rbnOtLvqov08z VMCDy6tu4RuY23dI/Q6s4m7Xxf4zFy+iKBTpbwiQjJesvh5GDdMqnvxJYytXD0kZ IudmNVaRFY9il1n7kULbOVCl1lk51UDgua76ysBdH5DeJNMGg+8mB/CXurNHl7ol K+asrMwXJ1DWAWm58f5icoZlMdr0dwL9dkMaN7VKGnP9lIyOLexpAAB95Y6pYp7g xgi28wVeeOQazHZO2rO/StNWR9oxuM1Lm68K9nXCQdTx8pCQ+n7qNQ5fh8JIwalH 1c9ydB1XyHh8JCEbw4dQkM8HvqxCtx8er7baKhWK82p4/xPsOSUydGxQpzg6lbVA q06/9rawcBxVrBqvtU/ozIclnSueq9oIcN3Kgf0PlbI+XzFjrVBppOvsjSikQ2YU guZptgLe3Gn+NxhzIPsG8cSq+252TdS3mIFdoAcxfG5SC3RQ8bXJD5sQYB1TBUfV mC7qWli8flU2t9DdPpsszwm0YB8EYl3ChnhwkIpAnP+zXlDnkm3Ntx9PY1k1AHzG DjSASwFjoyAME7Mz22NXCIlNDewwTSaRbKxfUaVssgYfwq6+iCWlAFp3FnYr6/pc u9uCq/pbg5TUg8S+dCPU6JbmmB7Ke2noUQcCcuVD0kUi0lkl5+I= =p6fk -----END PGP SIGNATURE----- --Sig_/.Rd5rh1W4J6Jz1Ls.wE0Tfa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200807152525.711d4072>