From owner-freebsd-net@freebsd.org Fri Aug 7 13:25:34 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 683FE3BAAB0 for ; Fri, 7 Aug 2020 13:25:34 +0000 (UTC) (envelope-from diego.abelenda@gmail.com) Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com [IPv6:2a00:1450:4864:20::443]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BNR1n2051z4QTd for ; Fri, 7 Aug 2020 13:25:33 +0000 (UTC) (envelope-from diego.abelenda@gmail.com) Received: by mail-wr1-x443.google.com with SMTP id r4so1667935wrx.9 for ; Fri, 07 Aug 2020 06:25:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version; bh=8zhhIRHZsnwlg1A9K+zQK/aiDxHo3gWSikM33WgQWS4=; b=feeoNHk+Gyz4Y0H3L0qTSsKtwfEkZq01grUz58T7evUguZ7g2wPttlRTHwjtWFG24E qji5DwgsPqua7nP6X/8QVa3oA0SCEP0FIRQDnSjA7FM9iCjB+S0r0O1ePAHzp8EBf1HW AnEh9/BU9D5ivpHsDxsXZ7k6FA0/DhY/nMErgi9GP0KCtvL0Wdt9p8OHOvaduBZuzACb DqPW8YocjfyTCt8ZpEm7p0CwAASndEzCnHE0r4h5g8C8JWmwfSzBm6kQ/0gxkWvln5fy 7ZeUNZcx+Anj5gV9WtLYM5OLp6zMLvXP/dsDnuJndS+aY9I5R/yq2AMXeSrwKhrjKVmB 61mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version; bh=8zhhIRHZsnwlg1A9K+zQK/aiDxHo3gWSikM33WgQWS4=; b=ksvhQrOI1bXM60UTh2QSyGETyL46d86XzbPF9IZSwEGwcHevrXGzp/ZNLK28bHv8iu vzsEnOU0Qnh1D2duj/a6/c1VteBTlqOMhdVC9qp76f5iFboOBEF1PnDhIJVeM/aHfzoJ F2WVZPnhMy1WWwdjnakyWhAf13KNhhzAXsF9ouxFHhIPW73oOq4fjCFkAjAcxQP4k7Cy GSuejYuDIG2lJW9eKC8HyIzL9Td7a6dhw7eeLml38Gtn4nxU8jfxxExTRyUjqZI64ekV Go1wSMD9P7kMuI3A7zBVisSMhqA8dcj38ZuNAzW5OY4cWPVlJ/puXlRPoG1qaiqWF0ps 7d3g== X-Gm-Message-State: AOAM533MmSAJwiWLEYrPMJnFm8nsLaFnvx2vxeFGDbQU8IxVwfMPNDLH iJ0jR71ztwph1Fu1Wh4NfHLH8A2K X-Google-Smtp-Source: ABdhPJxKK5Af9yNE5H9pGs4dlOiBP/yUYmAA6EK2PoMOOQzbPXnH8JPeOKoNw/l4Wl5/FKhaC5mhiw== X-Received: by 2002:a5d:4942:: with SMTP id r2mr11257514wrs.285.1596806731363; Fri, 07 Aug 2020 06:25:31 -0700 (PDT) Received: from debian (29.182.6.85.dynamic.wline.res.cust.swisscom.ch. [85.6.182.29]) by smtp.gmail.com with ESMTPSA id b137sm11275027wmb.9.2020.08.07.06.25.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Aug 2020 06:25:30 -0700 (PDT) Date: Fri, 7 Aug 2020 15:25:25 +0200 From: Abelenda Diego To: freebsd-net@freebsd.org Subject: Multicast issue, interface not leaving Mutlicast Group Message-ID: <20200807152525.711d4072@debian> X-Mailer: Claws Mail 3.17.6 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/.Rd5rh1W4J6Jz1Ls.wE0Tfa"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Rspamd-Queue-Id: 4BNR1n2051z4QTd X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=feeoNHk+; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of diegoabelenda@gmail.com designates 2a00:1450:4864:20::443 as permitted sender) smtp.mailfrom=diegoabelenda@gmail.com X-Spamd-Result: default: False [-2.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.06)[-1.063]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.991]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_SHORT(0.16)[0.163]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::443:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Aug 2020 13:25:34 -0000 --Sig_/.Rd5rh1W4J6Jz1Ls.wE0Tfa Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello, I have discovered that I had a multicast issue for years I did not know abo= ut. I use a FreeBSD (opnsense) setup as router for my home network and have= igmpproxy for IPTV. Somehow everything seems to work, until I realized tha= t my ISP was making a DoS with multicast. It is pretty much what was descri= bed years ago here: https://forum.netgate.com/topic/62591/igmp-issues-causi= ng-isp-to-perform-multicast-dos-on-my-pfsense/7. But the solution of not us= ing FreeBSD seem weird. So dug a lot learning about Multicast IGMPv{2,3} et= c in the process. Here is an abstract of what I found: igmpproxy is performing "correctly" in that it will act upon to IGMPv2 Join= request from the TV box by joining the multicast groups correctly. When the TV Box sends an IGMPv2 Leave request, igmpproxy will remove the so= urce IP from the multicast table on the interface (the code is here https:/= /github.com/pali/igmpproxy/blob/b7940fc75b36d5bcc3a07654fc1af76f179302a9/sr= c/mcgroup.c#L58-L60 this same call is used for joining and leaving). This is where things start to go awry, as the action igmpproxy takes is not= considered leaving the Multicast Group, so when the upstream multicast rou= ter sends an IGMPv3 Query, the Multicast Group is still listed in the IGMPv= 3 Report but in Exclude mode with the source listed in the excluded IPs. My ISP sees that the Group is still listed so it continues to send the mult= icast traffic apparently ignoring that the source is Excluded. Worst part is that killing igmpproxy changes nothing because the IGMPv3 Rep= ort is still sent (by the kernel I suppose since nothing should be running = anymore) and includes the Multicast Groups as before. The only thing that r= esets the state of the Group Membership is bringing down the interface and = reconfiguring it. Is this caused by a wrong "leave" handling by igmpproxy? (if yes is there a= n alternative ?) Is there any way to manually leaving Multicast Groups? I c= an see the Multicast forwarding table while igmpproxy is running with "nets= tat -g". I can also see the group membership state with "ifmcstat -i re1" b= ut I have found no way to actually modify the membership of the interface. Extra info: When igmpproxy is running I can see two different kinds of entries in the M= ulticast Forwarding Table. For a Multicast group that is currently "joined"= according to igmpproxy I can see a line something like: IPv4 Multicast Forwarding Table Origin Group Packets In-Vif Out-Vifs:Ttls 213.3.72.5 239.186.64.71 10763 2 For a multicast group that was previously joined but should not be anymore = I see: IPv4 Multicast Forwarding Table Origin Group Packets In-Vif Out-Vifs:Ttls 213.3.72.5 239.186.68.20 0 65535 =20 ifmcstat shows the multicast groups, with exclude mode set: # ifmcstat -i re1 re1: inet $MY_PUBLIC_IP igmpv3 rv 2 qi 30 qri 50 uri 3 group 239.186.64.71 mode exclude mcast-macaddr 01:00:5e:3a:40:47 group 239.186.70.37 mode exclude mcast-macaddr 01:00:5e:3a:46:25 group 239.186.68.242 mode exclude mcast-macaddr 01:00:5e:3a:44:f2 group 239.186.68.178 mode exclude mcast-macaddr 01:00:5e:3a:44:b2 group 239.186.68.20 mode exclude mcast-macaddr 01:00:5e:3a:44:14 group 239.186.68.3 mode exclude mcast-macaddr 01:00:5e:3a:44:03 [...] Best regards, Diego Abelenda --Sig_/.Rd5rh1W4J6Jz1Ls.wE0Tfa Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEhLBEGh6nN5+aat9KomT4UAfkGfgFAl8tVkUACgkQomT4UAfk GfgsWA/8DoIf5j+Gn4oaGMx5k0DiQNeuUbl25t+Y+XF20joyet1rbnOtLvqov08z VMCDy6tu4RuY23dI/Q6s4m7Xxf4zFy+iKBTpbwiQjJesvh5GDdMqnvxJYytXD0kZ IudmNVaRFY9il1n7kULbOVCl1lk51UDgua76ysBdH5DeJNMGg+8mB/CXurNHl7ol K+asrMwXJ1DWAWm58f5icoZlMdr0dwL9dkMaN7VKGnP9lIyOLexpAAB95Y6pYp7g xgi28wVeeOQazHZO2rO/StNWR9oxuM1Lm68K9nXCQdTx8pCQ+n7qNQ5fh8JIwalH 1c9ydB1XyHh8JCEbw4dQkM8HvqxCtx8er7baKhWK82p4/xPsOSUydGxQpzg6lbVA q06/9rawcBxVrBqvtU/ozIclnSueq9oIcN3Kgf0PlbI+XzFjrVBppOvsjSikQ2YU guZptgLe3Gn+NxhzIPsG8cSq+252TdS3mIFdoAcxfG5SC3RQ8bXJD5sQYB1TBUfV mC7qWli8flU2t9DdPpsszwm0YB8EYl3ChnhwkIpAnP+zXlDnkm3Ntx9PY1k1AHzG DjSASwFjoyAME7Mz22NXCIlNDewwTSaRbKxfUaVssgYfwq6+iCWlAFp3FnYr6/pc u9uCq/pbg5TUg8S+dCPU6JbmmB7Ke2noUQcCcuVD0kUi0lkl5+I= =p6fk -----END PGP SIGNATURE----- --Sig_/.Rd5rh1W4J6Jz1Ls.wE0Tfa--