lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jun 2021 00:07:31 +0000 From: Callum Sinclair <Callum.Sinclair@...iedtelesis.co.nz> To: Linus Lüssing <linus.luessing@...3.blue> CC: "dsahern@...nel.org" <dsahern@...nel.org>, "nikolay@...dia.com" <nikolay@...dia.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "troglobit@...il.com" <troglobit@...il.com> Subject: Re: [PATCH 1/1] net: Allow all multicast packets to be received on a interface. Hi Linus > I'm also wondering if it could be useful to configure it via > setsockopt() per application instead of per device via sysctl. Either by > adding a new socket option. Or by allowing the any IP address > 0.0.0.0 / :: with IP_ADD_MEMBERSHIP/IPV6_JOIN_GROUP. So that you > could use this for instance: Yes perhaps this would be a better way to get multicast snooping working with the existing options. I can see that using a multicast routing IP socket I will receive all IGMP and MLD data from that. I was just not creating the socket as a multicast routing socket. > Or would you prefer to be able to use a layer 3 IP instead of > a layer 2 packet socket? Yes I was preferring to use a L3 IP socket instead of a L2 packet socket. This was to have access to additional data from IP_PKTINFO. Cheers Callum ________________________________________ From: Linus Lüssing <linus.luessing@...3.blue> Sent: Friday, June 18, 2021 12:33 AM To: Callum Sinclair Cc: dsahern@...nel.org; nikolay@...dia.com; netdev@...r.kernel.org; linux-kernel@...r.kernel.org; troglobit@...il.com Subject: Re: [PATCH 1/1] net: Allow all multicast packets to be received on a interface. Hi Callum, On Thu, Jun 17, 2021 at 09:50:20PM +1200, Callum Sinclair wrote: > +mc_snooping - BOOLEAN > + Enable multicast snooping on the interface. This allows any given > + multicast group to be received without explicitly being joined. > + The kernel needs to be compiled with CONFIG_MROUTE and/or > + CONFIG_IPV6_MROUTE. > + conf/all/mc_snooping must also be set to TRUE to enable multicast > + snooping for the interface. > + Generally this sounds like a useful feature. One note: When there are snooping bridges/switches involved, you might run into issues in receiving all multicast packets, as due to the missing IGMP/MLD reports the snooping switches won't forward to you. In that case, to conform to RFC4541 you would also need to become the selected IGMP/MLD querier and send IGMP/MLD query messages. Or better, you'd need to send Multicast Router Advertisements (RFC4286). The latter is the recommended, more flexible way but might not be supported by all multicast snooping switches yet. The Linux bridge supports this. There is a userspace tool called mrdisc you can use for MRD-Adv. though: https://scanmail.trustwave.com/?c=20988&d=n8HL4MpWu6CIvz405pawlYFbPjGsj-TvRIl7ADnUOg&u=https%3a%2f%2fgithub%2ecom%2ftroglobit%2fmrdisc So no need to implement MRD Advertisements in the kernel with this patch (though I could imagine that it might be a useful feature to have, having MRD support out-of-the-box with this option). Just a note that some IGMP/MLD Querier or MRD Adv. would be needed when IGMP/MLD snooping switches are invoved might be nice to have in the mc_snooping description for now, to avoid potential confusion later. I'm also wondering if it could be useful to configure it via setsockopt() per application instead of per device via sysctl. Either by adding a new socket option. Or by allowing the any IP address 0.0.0.0 / :: with IP_ADD_MEMBERSHIP/IPV6_JOIN_GROUP. So that you could use this for instance: $ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[::]:eth0" - (currently :: fails with "Invalid argument") I'm not sure however what the requirements for adding or extending socket options are, if there are some POSIX standards that'd need to be followed for compatibility with other OSes, for instance. Hm, actually, I just noticed that there seem to be some multicast related setsockopt()s already: - PACKET_MR_PROMISC - PACKET_MR_MULTICAST - PACKET_MR_ALLMULTI The last one seems to be what you are looking for, I think, the manpage here says: "PACKET_MR_ALLMULTI sets the socket up to receive all multicast packets arriving at the interface" https://scanmail.trustwave.com/?c=20988&d=n8HL4MpWu6CIvz405pawlYFbPjGsj-TvRI4qVzmDbA&u=https%3a%2f%2fwww%2eman7%2eorg%2flinux%2fman-pages%2fman7%2fpacket%2e7%2ehtml Or would you prefer to be able to use a layer 3 IP instead of a layer 2 packet socket? Regards, Linus
Powered by blists - more mailing lists