+From 65f777e7f66b55239d935c1cf81bb5abc0f6c89f Mon Sep 17 00:00:00 2001
+From: Grinch <grinch79@users.sourceforge.net>
+Date: Sun, 16 Aug 2009 19:58:26 +0500
+Subject: [PATCH] Restrict igmp reports for downstream interfaces (wrt #2833339)
+
+atm all igmp membership reports are forwarded to the upstream interface.
+Unfortunately some ISP Providers restrict some multicast groups (esp. those
+that are defined as local link groups and that are not supposed to be
+forwarded to the wan, i.e 224.0.0.0/24). Therefore there should be some
+kind of black oder whitelisting.
+As whitelisting can be accomplished quite easy I wrote a litte patch, which
+is attached to this request.
+---
+ doc/igmpproxy.conf.5.in | 19 +++++++++++++++++++
+ src/config.c | 23 ++++++++++++++++++++++-
+ src/igmpproxy.h | 1 +
+ src/request.c | 20 ++++++++++++++++----
+ 4 files changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/doc/igmpproxy.conf.5.in b/doc/igmpproxy.conf.5.in
+index a4ea7d0..56efa22 100644
+--- a/doc/igmpproxy.conf.5.in
++++ b/doc/igmpproxy.conf.5.in
+@@ -116,6 +116,25 @@ This is especially useful for the upstream interface, since the source for multi
+ traffic is often from a remote location. Any number of altnet parameters can be specified.
+ .RE
+
++.B whitelist
++.I networkaddr
++.RS
++Defines a whitelist for multicast groups. The network address must be in the following
++format 'a.b.c.d/n'. If you want to allow one single group use a network mask of /32,
++i.e. 'a.b.c.d/32'.
++
++By default all multicast groups are allowed on any downstream interface. If at least one
++whitelist entry is defined, all igmp membership reports for not explicitly whitelisted
++multicast groups will be ignored and therefore not be served by igmpproxy. This is especially
++useful, if your provider does only allow a predefined set of multicast groups. These whitelists
++are only obeyed by igmpproxy itself, they won't prevent any other igmp client running on the
++same machine as igmpproxy from requesting 'unallowed' multicast groups.
++
++You may specify as many whitelist entries as needed. Although you should keep it as simple as
++possible, as this list is parsed for every membership report and therefore this increases igmp
++response times. Often used or large groups should be defined first, as parsing ends as soon as
++a group matches an entry.
++.RE
+
+ .SH EXAMPLE
+ ## Enable quickleave
+diff --git a/src/config.c b/src/config.c
+index 5a96ce0..d72619f 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -46,6 +46,9 @@ struct vifconfig {
+
+ // Keep allowed nets for VIF.
+ struct SubnetList* allowednets;
++
++ // Allowed Groups
++ struct SubnetList* allowedgroups;
+
+ // Next config in list...
+ struct vifconfig* next;
+@@ -202,6 +205,8 @@ void configureVifs() {
+ // Insert the configured nets...
+ vifLast->next = confPtr->allowednets;
+
++ Dp->allowedgroups = confPtr->allowedgroups;
++
+ break;
+ }
+ }
+@@ -215,7 +220,7 @@ void configureVifs() {
+ */
+ struct vifconfig *parsePhyintToken() {
+ struct vifconfig *tmpPtr;
+- struct SubnetList **anetPtr;
++ struct SubnetList **anetPtr, **agrpPtr;
+ char *token;
+ short parseError = 0;
+
+@@ -239,6 +244,7 @@ struct vifconfig *parsePhyintToken() {
+ tmpPtr->threshold = 1;
+ tmpPtr->state = IF_STATE_DOWNSTREAM;
+ tmpPtr->allowednets = NULL;
++ tmpPtr->allowedgroups = NULL;
+
+ // Make a copy of the token to store the IF name
+ tmpPtr->name = strdup( token );
+@@ -248,6 +254,7 @@ struct vifconfig *parsePhyintToken() {
+
+ // Set the altnet pointer to the allowednets pointer.
+ anetPtr = &tmpPtr->allowednets;
++ agrpPtr = &tmpPtr->allowedgroups;
+
+ // Parse the rest of the config..
+ token = nextConfigToken();
+@@ -266,6 +273,20 @@ struct vifconfig *parsePhyintToken() {
+ anetPtr = &(*anetPtr)->next;
+ }
+ }
++ else if(strcmp("whitelist", token)==0) {
++ // Whitelist
++ token = nextConfigToken();
++ my_log(LOG_DEBUG, 0, "Config: IF: Got whitelist token %s.", token);
++
++ *agrpPtr = parseSubnetAddress(token);
++ if(*agrpPtr == NULL) {
++ parseError = 1;
++ my_log(LOG_WARNING, 0, "Unable to parse subnet address.");
++ break;
++ } else {
++ agrpPtr = &(*agrpPtr)->next;
++ }
++ }
+ else if(strcmp("upstream", token)==0) {
+ // Upstream
+ my_log(LOG_DEBUG, 0, "Config: IF: Got upstream token.");
+diff --git a/src/igmpproxy.h b/src/igmpproxy.h
+index 4dabd1c..0de7791 100644
+--- a/src/igmpproxy.h
++++ b/src/igmpproxy.h
+@@ -145,6 +145,7 @@ struct IfDesc {
+ short Flags;
+ short state;
+ struct SubnetList* allowednets;
++ struct SubnetList* allowedgroups;
+ unsigned int robustness;
+ unsigned char threshold; /* ttl limit */
+ unsigned int ratelimit;
+diff --git a/src/request.c b/src/request.c
+index e3589f6..89b91de 100644
+--- a/src/request.c
++++ b/src/request.c
+@@ -82,10 +82,22 @@ void acceptGroupReport(uint32_t src, uint32_t group, uint8_t type) {
+ my_log(LOG_DEBUG, 0, "Should insert group %s (from: %s) to route table. Vif Ix : %d",
+ inetFmt(group,s1), inetFmt(src,s2), sourceVif->index);
+
+- // The membership report was OK... Insert it into the route table..
+- insertRoute(group, sourceVif->index);
+-
+-
++ // If we don't have a whitelist we insertRoute and done
++ if(sourceVif->allowedgroups == NULL)
++ {
++ insertRoute(group, sourceVif->index);
++ return;
++ }
++ // Check if this Request is legit on this interface
++ struct SubnetList *sn;
++ for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next)
++ if((group & sn->subnet_mask) == sn->subnet_addr)
++ {
++ // The membership report was OK... Insert it into the route table..
++ insertRoute(group, sourceVif->index);
++ return;
++ }
++ my_log(LOG_INFO, 0, "The group address %s may not be requested from this interface. Ignoring.", inetFmt(group, s1));
+ } else {
+ // Log the state of the interface the report was recieved on.
+ my_log(LOG_INFO, 0, "Mebership report was recieved on %s. Ignoring.",
+--
+1.7.2.5
+
projects / people / teissler / ipfire-2.x.git / commitdiff
