On Tue, May 03, 2022 at 07:32:47AM -0600, Alexandr Nedvedicky wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: sas...@cvs.openbsd.org 2022/05/03 07:32:47
>
> Modified files:
> sys/net : pf.c
>
> Log message:
> Make pf(4) more paranoid about IGMP/MLP messages. MLD/IGMP messages
> with ttl other than 1 will be discarded. Also MLD messages with
> other than link-local source address will be discarded. IGMP
> messages with destination address other than multicast class
> will be discarded.
>
> feedback and OK bluhm@, cluadio@
This most likely broke regress.
> sys/net/pf_opts:
Exit: 1
Duration: 00:01:32
Log: 153-sys-net-pf_opts.log
==== run-bpf-mcast ====
sleep 2 # XXX
doas -n pkill -f '^/usr/sbin/tcpdump -l -e -vvv -s 2048 -ni'
2 packets received by filter
0 packets dropped by kernel
4 packets received by filter
0 packets dropped by kernel
2 packets received by filter
0 packets dropped by kernel
rm -f stamp-bpf*
# Check that multicast protocol packet with router alert passed
grep ' 127.0.0.12: igmp query .* IPOPT-148{4}' lo12.tcpdump
05:00:20.575196 127.0.0.12 > 127.0.0.12: igmp query [ttl 1] (id 1, len 32,
optlen=4 IPOPT-148{4})
grep ' fe80::12: HBH (rtalert:.* icmp6: multicast ' lo12.tcpdump
05:00:23.921469 fe80::12 > fe80::12: HBH (rtalert: 0x0000) icmp6: multicast
listener query max resp delay: 10000 addr: :: [icmp6 cksum ok] (len 32, hlim 64)
! grep '127.0.0.11' pflog0.tcpdump
05:00:18.943109 rule def/(ip-option) [uid 0, pid 0] pass in on lo11: 127.0.0.11
> 127.0.0.11: igmp query [ttl 1] (id 1, len 32, optlen=4 IPOPT-148{4})
*** Error 1 in . (Makefile:321 'run-bpf-mcast')
FAILED
==== run-bpf-mcast-bad ====
sleep 2 # XXX
doas -n pkill -f '^/usr/sbin/tcpdump -l -e -vvv -s 2048 -ni'
2 packets received by filter
0 packets dropped by kernel
4 packets received by filter
0 packets dropped by kernel
2 packets received by filter
0 packets dropped by kernel
rm -f stamp-bpf*
# Check that multicast protocol packet with options were blocked
grep ' 127.0.0.12: igmp query .* IPOPT-3{4}' pflog0.tcpdump
05:00:31.505047 rule def/(ip-option) [uid 0, pid 0] pass in on lo12: 127.0.0.12
> 127.0.0.12: igmp query [ttl 1] (id 1, len 32, optlen=4 IPOPT-3{4})
grep ' fe80::12: HBH (type 0x03:.* icmp6: multicast ' pflog0.tcpdump
05:00:34.842050 rule def/(ip-option) [uid 0, pid 0] pass in on lo12: fe80::12 >
fe80::12: HBH (type 0x03: len=0) icmp6: multicast listener query max resp
delay: 10000 addr: :: [icmp6 cksum ok] (len 32, hlim 64)
! grep '127.0.0.11' pflog0.tcpdump
05:00:29.868675 rule def/(ip-option) [uid 0, pid 0] pass in on lo11: 127.0.0.11
> 127.0.0.11: igmp query [ttl 1] (id 1, len 32, optlen=4 IPOPT-3{4})
*** Error 1 in . (Makefile:341 'run-bpf-mcast-bad')
FAILED
