Domů Procházet Nápověda
Přihlásit se
iank
/
libreCMC
rozštěpen z libreCMC/libreCMC
1
0
Rozštěpit 0
Soubory
Strom: 0dbb12132c
Větve Značky
libreCMC
/
package
/
network
/
services
/
igmpproxy
/
patches
/
003-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch

003-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch 6.1 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 
  1. From 65f777e7f66b55239d935c1cf81bb5abc0f6c89f Mon Sep 17 00:00:00 2001
    2. 

  2. From: Grinch <grinch79@users.sourceforge.net>
    3. 

  3. Date: Sun, 16 Aug 2009 19:58:26 +0500
    4. 

  4. Subject: [PATCH] Restrict igmp reports for downstream interfaces (wrt #2833339)
    5. 

  5. 

  6. atm all igmp membership reports are forwarded to the upstream interface.
    7. 

  7. Unfortunately some ISP Providers restrict some multicast groups (esp. those
    8. 

  8. that are defined as local link groups and that are not supposed to be
    9. 

  9. forwarded to the wan, i.e 224.0.0.0/24). Therefore there should be some
    10. 

  10. kind of black oder whitelisting.
    11. 

  11. As whitelisting can be accomplished quite easy I wrote a litte patch, which
    12. 

  12. is attached to this request.
    13. 

  13. ---
    14. 

  14.  doc/igmpproxy.conf.5.in |   19 +++++++++++++++++++
    15. 

  15.  src/config.c            |   23 ++++++++++++++++++++++-
    16. 

  16.  src/igmpproxy.h         |    1 +
    17. 

  17.  src/request.c           |   20 ++++++++++++++++----
    18. 

  18.  4 files changed, 58 insertions(+), 5 deletions(-)
    19. 

  19. 

  20. diff --git a/doc/igmpproxy.conf.5.in b/doc/igmpproxy.conf.5.in
    21. 

  21. index a4ea7d0..56efa22 100644
    22. 

  22. --- a/doc/igmpproxy.conf.5.in
    23. 

  23. +++ b/doc/igmpproxy.conf.5.in
    24. 

  24. @@ -116,6 +116,25 @@ This is especially useful for the upstream interface, since the source for multi
    25. 

  25.  traffic is often from a remote location. Any number of altnet parameters can be specified.
    26. 

  26.  .RE
    27. 

  27.  
    28. 

  28. +.B whitelist
    29. 

  29. +.I networkaddr
    30. 

  30. +.RS
    31. 

  31. +Defines a whitelist for multicast groups. The network address must be in the following
    32. 

  32. +format 'a.b.c.d/n'. If you want to allow one single group use a network mask of /32,
    33. 

  33. +i.e. 'a.b.c.d/32'. 
    34. 

  34. +
    35. 

  35. +By default all multicast groups are allowed on any downstream interface. If at least one
    36. 

  36. +whitelist entry is defined, all igmp membership reports for not explicitly whitelisted
    37. 

  37. +multicast groups will be ignored and therefore not be served by igmpproxy. This is especially
    38. 

  38. +useful, if your provider does only allow a predefined set of multicast groups. These whitelists
    39. 

  39. +are only obeyed by igmpproxy itself, they won't prevent any other igmp client running on the
    40. 

  40. +same machine as igmpproxy from requesting 'unallowed' multicast groups.
    41. 

  41. +
    42. 

  42. +You may specify as many whitelist entries as needed. Although you should keep it as simple as
    43. 

  43. +possible, as this list is parsed for every membership report and therefore this increases igmp
    44. 

  44. +response times. Often used or large groups should be defined first, as parsing ends as soon as
    45. 

  45. +a group matches an entry.
    46. 

  46. +.RE
    47. 

  47.  
    48. 

  48.  .SH EXAMPLE
    49. 

  49.  ## Enable quickleave
    50. 

  50. diff --git a/src/config.c b/src/config.c
    51. 

  51. index 5a96ce0..d72619f 100644
    52. 

  52. --- a/src/config.c
    53. 

  53. +++ b/src/config.c
    54. 

  54. @@ -46,6 +46,9 @@ struct vifconfig {
    55. 

  55.  
    56. 

  56.      // Keep allowed nets for VIF.
    57. 

  57.      struct SubnetList*  allowednets;
    58. 

  58. +
    59. 

  59. +    // Allowed Groups
    60. 

  60. +    struct SubnetList*  allowedgroups;
    61. 

  61.      
    62. 

  62.      // Next config in list...
    63. 

  63.      struct vifconfig*   next;
    64. 

  64. @@ -202,6 +205,8 @@ void configureVifs() {
    65. 

  65.                      // Insert the configured nets...
    66. 

  66.                      vifLast->next = confPtr->allowednets;
    67. 

  67.  
    68. 

  68. +		    Dp->allowedgroups = confPtr->allowedgroups;
    69. 

  69. +
    70. 

  70.                      break;
    71. 

  71.                  }
    72. 

  72.              }
    73. 

  73. @@ -215,7 +220,7 @@ void configureVifs() {
    74. 

  74.  */
    75. 

  75.  struct vifconfig *parsePhyintToken() {
    76. 

  76.      struct vifconfig  *tmpPtr;
    77. 

  77. -    struct SubnetList **anetPtr;
    78. 

  78. +    struct SubnetList **anetPtr, **agrpPtr;
    79. 

  79.      char *token;
    80. 

  80.      short parseError = 0;
    81. 

  81.  
    82. 

  82. @@ -239,6 +244,7 @@ struct vifconfig *parsePhyintToken() {
    83. 

  83.      tmpPtr->threshold = 1;
    84. 

  84.      tmpPtr->state = IF_STATE_DOWNSTREAM;
    85. 

  85.      tmpPtr->allowednets = NULL;
    86. 

  86. +    tmpPtr->allowedgroups = NULL;
    87. 

  87.  
    88. 

  88.      // Make a copy of the token to store the IF name
    89. 

  89.      tmpPtr->name = strdup( token );
    90. 

  90. @@ -248,6 +254,7 @@ struct vifconfig *parsePhyintToken() {
    91. 

  91.  
    92. 

  92.      // Set the altnet pointer to the allowednets pointer.
    93. 

  93.      anetPtr = &tmpPtr->allowednets;
    94. 

  94. +    agrpPtr = &tmpPtr->allowedgroups; 
    95. 

  95.  
    96. 

  96.      // Parse the rest of the config..
    97. 

  97.      token = nextConfigToken();
    98. 

  98. @@ -266,6 +273,20 @@ struct vifconfig *parsePhyintToken() {
    99. 

  99.                  anetPtr = &(*anetPtr)->next;
    100. 

  100.              }
    101. 

  101.          }
    102. 

  102. +	else if(strcmp("whitelist", token)==0) {
    103. 

  103. +	    // Whitelist
    104. 

  104. +	    token = nextConfigToken();
    105. 

  105. +	    my_log(LOG_DEBUG, 0, "Config: IF: Got whitelist token %s.", token);
    106. 

  106. +	
    107. 

  107. +	    *agrpPtr = parseSubnetAddress(token);
    108. 

  108. +	    if(*agrpPtr == NULL) {
    109. 

  109. +		parseError = 1;
    110. 

  110. +		my_log(LOG_WARNING, 0, "Unable to parse subnet address.");
    111. 

  111. +		break;
    112. 

  112. +	    } else {
    113. 

  113. +		agrpPtr = &(*agrpPtr)->next;
    114. 

  114. +	    }
    115. 

  115. +	}
    116. 

  116.          else if(strcmp("upstream", token)==0) {
    117. 

  117.              // Upstream
    118. 

  118.              my_log(LOG_DEBUG, 0, "Config: IF: Got upstream token.");
    119. 

  119. diff --git a/src/igmpproxy.h b/src/igmpproxy.h
    120. 

  120. index 4dabd1c..0de7791 100644
    121. 

  121. --- a/src/igmpproxy.h
    122. 

  122. +++ b/src/igmpproxy.h
    123. 

  123. @@ -145,6 +145,7 @@ struct IfDesc {
    124. 

  124.      short               Flags;
    125. 

  125.      short               state;
    126. 

  126.      struct SubnetList*  allowednets;
    127. 

  127. +    struct SubnetList*  allowedgroups;
    128. 

  128.      unsigned int        robustness;
    129. 

  129.      unsigned char       threshold;   /* ttl limit */
    130. 

  130.      unsigned int        ratelimit; 
    131. 

  131. diff --git a/src/request.c b/src/request.c
    132. 

  132. index e3589f6..89b91de 100644
    133. 

  133. --- a/src/request.c
    134. 

  134. +++ b/src/request.c
    135. 

  135. @@ -82,10 +82,22 @@ void acceptGroupReport(uint32_t src, uint32_t group, uint8_t type) {
    136. 

  136.          my_log(LOG_DEBUG, 0, "Should insert group %s (from: %s) to route table. Vif Ix : %d",
    137. 

  137.              inetFmt(group,s1), inetFmt(src,s2), sourceVif->index);
    138. 

  138.  
    139. 

  139. -        // The membership report was OK... Insert it into the route table..
    140. 

  140. -        insertRoute(group, sourceVif->index);
    141. 

  141. -
    142. 

  142. -
    143. 

  143. +	// If we don't have a whitelist we insertRoute and done
    144. 

  144. +	if(sourceVif->allowedgroups == NULL)
    145. 

  145. +	{
    146. 

  146. +	    insertRoute(group, sourceVif->index);
    147. 

  147. +	    return;
    148. 

  148. +	}
    149. 

  149. +	// Check if this Request is legit on this interface
    150. 

  150. +	struct SubnetList *sn;
    151. 

  151. +	for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next)
    152. 

  152. +	    if((group & sn->subnet_mask) == sn->subnet_addr)
    153. 

  153. +	    {
    154. 

  154. +        	// The membership report was OK... Insert it into the route table..
    155. 

  155. +        	insertRoute(group, sourceVif->index);
    156. 

  156. +		return;
    157. 

  157. +	    }
    158. 

  158. +	my_log(LOG_INFO, 0, "The group address %s may not be requested from this interface. Ignoring.", inetFmt(group, s1));
    159. 

  159.      } else {
    160. 

  160.          // Log the state of the interface the report was recieved on.
    161. 

  161.          my_log(LOG_INFO, 0, "Mebership report was recieved on %s. Ignoring.",
    162. 

  162. -- 
    163. 

  163. 1.7.2.5
    164. 

  164.