[Bug 259879] enabling PF blocks multicast/igmp sendto

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 259879] enabling PF blocks multicast/igmp sendto"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 17 Nov 2021 06:56:02 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259879

--- Comment #5 from Johan Ström <johan@stromnet.se> ---
I verified that logging is not working as expected (pass rule without
allow-opts blocks but does not log):


enabling pf with no rules
launch the socat command that tries to join multicast address.
Pf now blocks igmp (as we now know is expected)

adding a rule "block return log on $if all" and then running the socat again
yields log entries in pflog:

root@freebsd:~ # tcpdump -i pflog0 igmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144
bytes
06:47:55.756617 IP 172.28.6.15 > igmp.mcast.net: igmp v3 report, 1 group
record(s)
06:47:57.756382 IP 172.28.6.15 > igmp.mcast.net: igmp v3 report, 1 group
record(s)
06:47:58.556249 IP 172.28.6.15 > igmp.mcast.net: igmp v3 report, 1 group
record(s)

Adding a incomplete PF rule "pass on $if inet proto igmp" and starting socat.
No igmp traffic out, but nothing in pflog eitiher. And that feels more like a
bug?


One gotcha while debugging this: adding 'allow-opts' to the above role and
rerunning socat does not actually work immediately , you have to flush/wait for
the states to expire. Then it works.

-- 
You are receiving this mail because:
You are the assignee for the bug.