lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1623974851907.12252@alliedtelesis.co.nz>
Date:   Fri, 18 Jun 2021 00:07:31 +0000
From:   Callum Sinclair <Callum.Sinclair@...iedtelesis.co.nz>
To:     Linus Lüssing <linus.luessing@...3.blue>
CC:     "dsahern@...nel.org" <dsahern@...nel.org>,
        "nikolay@...dia.com" <nikolay@...dia.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "troglobit@...il.com" <troglobit@...il.com>
Subject: Re: [PATCH 1/1] net: Allow all multicast packets to be received on a
 interface.

Hi Linus 

> I'm also wondering if it could be useful to configure it via
> setsockopt() per application instead of per device via sysctl. Either by
> adding a new socket option. Or by allowing the any IP address
> 0.0.0.0 / :: with IP_ADD_MEMBERSHIP/IPV6_JOIN_GROUP. So that you
> could use this for instance:

Yes perhaps this would be a better way to get multicast snooping working with the existing
options. I can see that using a multicast routing IP socket I will receive all IGMP and MLD
data from that. I was just not creating the socket as a multicast routing socket.

> Or would you prefer to be able to use a layer 3 IP instead of
> a layer 2 packet socket?

Yes I was preferring to use a L3 IP socket instead of a L2 packet socket. This was to have
access to additional data from IP_PKTINFO.

Cheers
Callum
________________________________________
From: Linus Lüssing <linus.luessing@...3.blue>
Sent: Friday, June 18, 2021 12:33 AM
To: Callum Sinclair
Cc: dsahern@...nel.org; nikolay@...dia.com; netdev@...r.kernel.org; linux-kernel@...r.kernel.org; troglobit@...il.com
Subject: Re: [PATCH 1/1] net: Allow all multicast packets to be received on a interface.

Hi Callum,

On Thu, Jun 17, 2021 at 09:50:20PM +1200, Callum Sinclair wrote:
> +mc_snooping - BOOLEAN
> +     Enable multicast snooping on the interface. This allows any given
> +     multicast group to be received without explicitly being joined.
> +     The kernel needs to be compiled with CONFIG_MROUTE and/or
> +     CONFIG_IPV6_MROUTE.
> +     conf/all/mc_snooping must also be set to TRUE to enable multicast
> +     snooping for the interface.
> +

Generally this sounds like a useful feature. One note: When there
are snooping bridges/switches involved, you might run into issues
in receiving all multicast packets, as due to the missing IGMP/MLD
reports the snooping switches won't forward to you.

In that case, to conform to RFC4541 you would also need to become
the selected IGMP/MLD querier and send IGMP/MLD query messages. Or
better, you'd need to send Multicast Router Advertisements
(RFC4286). The latter is the recommended, more flexible way but
might not be supported by all multicast snooping switches yet.
The Linux bridge supports this.

There is a userspace tool called mrdisc you can use for MRD-Adv.
though: https://scanmail.trustwave.com/?c=20988&d=n8HL4MpWu6CIvz405pawlYFbPjGsj-TvRIl7ADnUOg&u=https%3a%2f%2fgithub%2ecom%2ftroglobit%2fmrdisc So no need to
implement MRD Advertisements in the kernel with this patch (though
I could imagine that it might be a useful feature to have, having
MRD support out-of-the-box with this option). Just a note that some
IGMP/MLD Querier or MRD Adv. would be needed when IGMP/MLD snooping
switches are invoved might be nice to have in the mc_snooping
description for now, to avoid potential confusion later.


I'm also wondering if it could be useful to configure it via
setsockopt() per application instead of per device via sysctl. Either by
adding a new socket option. Or by allowing the any IP address
0.0.0.0 / :: with IP_ADD_MEMBERSHIP/IPV6_JOIN_GROUP. So that you
could use this for instance:

$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[::]:eth0" -
(currently :: fails with "Invalid argument")

I'm not sure however what the requirements for adding or extending
socket options are, if there are some POSIX standards that'd need
to be followed for compatibility with other OSes, for instance.


Hm, actually, I just noticed that there seem to be some multicast
related setsockopt()s already:

- PACKET_MR_PROMISC
- PACKET_MR_MULTICAST
- PACKET_MR_ALLMULTI

The last one seems to be what you are looking for, I think, the
manpage here says:

"PACKET_MR_ALLMULTI sets the socket up to receive all multicast
packets arriving at the interface"
https://scanmail.trustwave.com/?c=20988&d=n8HL4MpWu6CIvz405pawlYFbPjGsj-TvRI4qVzmDbA&u=https%3a%2f%2fwww%2eman7%2eorg%2flinux%2fman-pages%2fman7%2fpacket%2e7%2ehtml

Or would you prefer to be able to use a layer 3 IP instead of
a layer 2 packet socket?

Regards, Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ