Date: Fri, 7 Aug 2020 15:25:25 +0200 From: Abelenda Diego <diego.abelenda@gmail.com> To: freebsd-net@freebsd.org Subject: Multicast issue, interface not leaving Mutlicast Group Message-ID: <20200807152525.711d4072@debian>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hello, I have discovered that I had a multicast issue for years I did not know about. I use a FreeBSD (opnsense) setup as router for my home network and have igmpproxy for IPTV. Somehow everything seems to work, until I realized that my ISP was making a DoS with multicast. It is pretty much what was described years ago here: https://forum.netgate.com/topic/62591/igmp-issues-causing-isp-to-perform-multicast-dos-on-my-pfsense/7. But the solution of not using FreeBSD seem weird. So dug a lot learning about Multicast IGMPv{2,3} etc in the process. Here is an abstract of what I found: igmpproxy is performing "correctly" in that it will act upon to IGMPv2 Join request from the TV box by joining the multicast groups correctly. When the TV Box sends an IGMPv2 Leave request, igmpproxy will remove the source IP from the multicast table on the interface (the code is here https://github.com/pali/igmpproxy/blob/b7940fc75b36d5bcc3a07654fc1af76f179302a9/src/mcgroup.c#L58-L60 this same call is used for joining and leaving). This is where things start to go awry, as the action igmpproxy takes is not considered leaving the Multicast Group, so when the upstream multicast router sends an IGMPv3 Query, the Multicast Group is still listed in the IGMPv3 Report but in Exclude mode with the source listed in the excluded IPs. My ISP sees that the Group is still listed so it continues to send the multicast traffic apparently ignoring that the source is Excluded. Worst part is that killing igmpproxy changes nothing because the IGMPv3 Report is still sent (by the kernel I suppose since nothing should be running anymore) and includes the Multicast Groups as before. The only thing that resets the state of the Group Membership is bringing down the interface and reconfiguring it. Is this caused by a wrong "leave" handling by igmpproxy? (if yes is there an alternative ?) Is there any way to manually leaving Multicast Groups? I can see the Multicast forwarding table while igmpproxy is running with "netstat -g". I can also see the group membership state with "ifmcstat -i re1" but I have found no way to actually modify the membership of the interface. Extra info: When igmpproxy is running I can see two different kinds of entries in the Multicast Forwarding Table. For a Multicast group that is currently "joined" according to igmpproxy I can see a line something like: IPv4 Multicast Forwarding Table Origin Group Packets In-Vif Out-Vifs:Ttls 213.3.72.5 239.186.64.71 10763 2 For a multicast group that was previously joined but should not be anymore I see: IPv4 Multicast Forwarding Table Origin Group Packets In-Vif Out-Vifs:Ttls 213.3.72.5 239.186.68.20 0 65535 ifmcstat shows the multicast groups, with exclude mode set: # ifmcstat -i re1 re1: inet $MY_PUBLIC_IP igmpv3 rv 2 qi 30 qri 50 uri 3 group 239.186.64.71 mode exclude mcast-macaddr 01:00:5e:3a:40:47 group 239.186.70.37 mode exclude mcast-macaddr 01:00:5e:3a:46:25 group 239.186.68.242 mode exclude mcast-macaddr 01:00:5e:3a:44:f2 group 239.186.68.178 mode exclude mcast-macaddr 01:00:5e:3a:44:b2 group 239.186.68.20 mode exclude mcast-macaddr 01:00:5e:3a:44:14 group 239.186.68.3 mode exclude mcast-macaddr 01:00:5e:3a:44:03 [...] Best regards, Diego Abelenda [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEhLBEGh6nN5+aat9KomT4UAfkGfgFAl8tVkUACgkQomT4UAfk GfgsWA/8DoIf5j+Gn4oaGMx5k0DiQNeuUbl25t+Y+XF20joyet1rbnOtLvqov08z VMCDy6tu4RuY23dI/Q6s4m7Xxf4zFy+iKBTpbwiQjJesvh5GDdMqnvxJYytXD0kZ IudmNVaRFY9il1n7kULbOVCl1lk51UDgua76ysBdH5DeJNMGg+8mB/CXurNHl7ol K+asrMwXJ1DWAWm58f5icoZlMdr0dwL9dkMaN7VKGnP9lIyOLexpAAB95Y6pYp7g xgi28wVeeOQazHZO2rO/StNWR9oxuM1Lm68K9nXCQdTx8pCQ+n7qNQ5fh8JIwalH 1c9ydB1XyHh8JCEbw4dQkM8HvqxCtx8er7baKhWK82p4/xPsOSUydGxQpzg6lbVA q06/9rawcBxVrBqvtU/ozIclnSueq9oIcN3Kgf0PlbI+XzFjrVBppOvsjSikQ2YU guZptgLe3Gn+NxhzIPsG8cSq+252TdS3mIFdoAcxfG5SC3RQ8bXJD5sQYB1TBUfV mC7qWli8flU2t9DdPpsszwm0YB8EYl3ChnhwkIpAnP+zXlDnkm3Ntx9PY1k1AHzG DjSASwFjoyAME7Mz22NXCIlNDewwTSaRbKxfUaVssgYfwq6+iCWlAFp3FnYr6/pc u9uCq/pbg5TUg8S+dCPU6JbmmB7Ke2noUQcCcuVD0kUi0lkl5+I= =p6fk -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200807152525.711d4072>