From nobody Tue Nov 16 12:44:40 2021 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4555A1892FCE for ; Tue, 16 Nov 2021 12:44:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Htm3X1Q31z3sDR for ; Tue, 16 Nov 2021 12:44:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 12550598D for ; Tue, 16 Nov 2021 12:44:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1AGCieC8009033 for ; Tue, 16 Nov 2021 12:44:40 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1AGCieWZ009032 for bugs@FreeBSD.org; Tue, 16 Nov 2021 12:44:40 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 259879] enabling PF blocks multicast/igmp sendto Date: Tue, 16 Nov 2021 12:44:40 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: johan@stromnet.se X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259879 Bug ID: 259879 Summary: enabling PF blocks multicast/igmp sendto Product: Base System Version: 12.2-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: johan@stromnet.se While trying to get multicast routing to work on my FreeBSD 12.2-based rout= er. I tried with mrouted, then igmpproxy, them pimd.. The latter two actually s= hows errors, mrouted did not. In any case, I never got the machine to send out a= ny IGMP join packets, nor pick up any IGMP join's from local nodes. On another machine, where I ran basic socat test (see below), the machine d= id never produce any IGMP Join packets. Trying the same on a linux machine wor= ked fine. At least one other person have had these issues with pimd, but probably not related to pimd: https://github.com/troglobit/pimd/issues/171 After doing tests on clean VMs, I've nailed it down to PF. Having pf just enabled, even with blank rules, seems to block outbound multicast/igmp some= how. Reproducable: 1. Launch blank VM with FreeBSD 12.2 or 13.0 qcow image in KVM: 2. Prepare: pkg install pimd truss=20 kldload ip_mroute 3. Launch pimd, working with no errors: root@freebsd:~ # pimd -f ^C=20 4. Enable pf (blank, no rules): root@freebsd:~ # pfctl -e root@freebsd:~ #=20 5. Now trying to use pimd, gives failures to send: root@freebsd:~ # pimd -f pimd: 12:30:03.170 Sendto to 224.0.0.1 on 172.28.6.15: Permission denied 6. Disable pf again and it works fine again... 7. truss output (from socket creation to sendto failure) with pf enabled (b= ut no rules at all): socket(PF_INET,SOCK_RAW,IPPROTO_IGMP) =3D 4 (0x4)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_HDRINCL,0x7fffffffe6dc,4) =3D 0 (0x0)=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,SOL_SOCKET,SO_SNDBUF,0x7fffffffe6bc,4) =3D 0 (0x0)=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,SOL_SOCKET,SO_RCVBUF,0x7fffffffe6bc,4) =3D 0 (0x0)=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_MULTICAST_TTL,0x7fffffffe6df,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_MULTICAST_LOOP,0x7fffffffe6d7,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 socket(PF_INET,SOCK_RAW,IPPROTO_PIM) =3D 5 (0x5)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,IPPROTO_IP,IP_HDRINCL,0x7fffffffe6dc,4) =3D 0 (0x0)=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,SOL_SOCKET,SO_SNDBUF,0x7fffffffe6bc,4) =3D 0 (0x0)=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,SOL_SOCKET,SO_RCVBUF,0x7fffffffe6bc,4) =3D 0 (0x0)=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,IPPROTO_IP,IP_MULTICAST_TTL,0x7fffffffe6df,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,IPPROTO_IP,IP_MULTICAST_LOOP,0x7fffffffe6d7,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 mmap(0x0,135168,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 34366= 939136 (0x8006de000) mmap(0x0,135168,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 34367= 074304 (0x8006ff000) socket(PF_ROUTE,SOCK_RAW,0) =3D 6 (0x6)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 fcntl(6,F_SETFL,O_RDONLY|O_NONBLOCK) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 socket(PF_INET,SOCK_DGRAM,0) =3D 7 (0x7)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFCONF,0x7fffffffe690) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFFLAGS,0x7fffffffe6a0) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFNETMASK,0x7fffffffe6a0) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFMTU,0x7fffffffe6a0) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ioctl(7,SIOCGIFFLAGS,0x7fffffffe6a0) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 open("/usr/local/etc//pimd.conf",O_RDONLY,0666) =3D 8 (0x8)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 fstat(8,{ mode=3D-rw-r--r-- ,inode=3D321234,size=3D6435,blksize=3D32768 }) = =3D 0 (0x0)=20=20=20=20 mmap(0x0,36864,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 343672= 09472 (0x800720000)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 read(8,"# Exmaple configuration file for"...,32768) =3D 6435 (0x1923)=20=20= =20=20=20=20=20=20=20=20=20=20=20 read(8,0x8007204c0,32768) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 close(8) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,100,0x7fffffffe6dc,4) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,107,0x7fffffffe6dc,4) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 getrandom("\M-2\f\M-M\M-@\M-7\^\ \M-jU\v"...,40,0) =3D 40 (0x28)=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 mmap(0x0,1104,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3436724= 6336 (0x800729000)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20 minherit(0x800729000,1104,INHERIT_ZERO) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,102,0x7fffffffe698,16) =3D 0 (0x0)=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 setsockopt(5,IPPROTO_IP,IP_ADD_MEMBERSHIP,0x7fffffffe698,8) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_ADD_MEMBERSHIP,0x7fffffffe698,8) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_ADD_MEMBERSHIP,0x7fffffffe698,8) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_MULTICAST_IF,0x7fffffffe5c8,4) =3D 0 (0x0)=20=20= =20=20=20=20=20=20=20=20=20=20=20 setsockopt(4,IPPROTO_IP,IP_MULTICAST_LOOP,0x7fffffffe5c7,1) =3D 0 (0x0)=20= =20=20=20=20=20=20=20=20=20=20 sendto(4,"F\M-@\0$\0\0\0\0\M^?\^B\0\0\M-,"...,36,0,{ AF_INET 224.0.0.1:0 },= 16) ERR#13 'Permission denied'=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20 Another test case, with socat: 1. Disable pf on FreeBSD machine (172.28.6.15) 2. Start tcpdump on another machine in same network. 3. Start socat on freebsd machine: socat -d -d -u UDP4-RECV:5568,ip-add-membership=3D239.255.0.100:172.28.6= .15 /dev/null 4. Check tcpdump output on another machine, you can see the IGMP Joins 13:40:29.226382 IP 172.28.6.15 > 224.0.0.22: igmp v3 report, 1 group record(s) 5. Enable pf (blank rules), run socat again. No IGMP traffic whatsoever see= n on remote machine. --=20 You are receiving this mail because: You are the assignee for the bug.=