deac
/
exherbo-impulze
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

igmpproxy version bump to 0.1 

also apply upstream patches that aren't released yet
for/master
Daniel Mierswa 2012-02-04 13:47:52 +01:00
parent e627dcfe16
commit b3760819d8
5 changed files with 359 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

165
packages/net/igmpproxy/files/0001-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch Normal file
View File

@ -0,0 +1,165 @@
From 65f777e7f66b55239d935c1cf81bb5abc0f6c89f Mon Sep 17 00:00:00 2001
From: Grinch <grinch79@users.sourceforge.net>
Date: Sun, 16 Aug 2009 19:58:26 +0500
Subject: [PATCH] Restrict igmp reports for downstream interfaces (wrt
#2833339)
atm all igmp membership reports are forwarded to the upstream interface.
Unfortunately some ISP Providers restrict some multicast groups (esp. those
that are defined as local link groups and that are not supposed to be
forwarded to the wan, i.e 224.0.0.0/24). Therefore there should be some
kind of black oder whitelisting.
As whitelisting can be accomplished quite easy I wrote a litte patch, which
is attached to this request.
---
doc/igmpproxy.conf.5.in | 19 +++++++++++++++++++
src/config.c | 23 ++++++++++++++++++++++-
src/igmpproxy.h | 1 +
src/request.c | 20 ++++++++++++++++----
4 files changed, 58 insertions(+), 5 deletions(-)
diff --git a/doc/igmpproxy.conf.5.in b/doc/igmpproxy.conf.5.in
index a4ea7d0..56efa22 100644
--- a/doc/igmpproxy.conf.5.in
+++ b/doc/igmpproxy.conf.5.in
@@ -116,6 +116,25 @@ This is especially useful for the upstream interface, since the source for multi
traffic is often from a remote location. Any number of altnet parameters can be specified.
.RE
+.B whitelist
+.I networkaddr
+.RS
+Defines a whitelist for multicast groups. The network address must be in the following
+format 'a.b.c.d/n'. If you want to allow one single group use a network mask of /32,
+i.e. 'a.b.c.d/32'.
+
+By default all multicast groups are allowed on any downstream interface. If at least one
+whitelist entry is defined, all igmp membership reports for not explicitly whitelisted
+multicast groups will be ignored and therefore not be served by igmpproxy. This is especially
+useful, if your provider does only allow a predefined set of multicast groups. These whitelists
+are only obeyed by igmpproxy itself, they won't prevent any other igmp client running on the
+same machine as igmpproxy from requesting 'unallowed' multicast groups.
+
+You may specify as many whitelist entries as needed. Although you should keep it as simple as
+possible, as this list is parsed for every membership report and therefore this increases igmp
+response times. Often used or large groups should be defined first, as parsing ends as soon as
+a group matches an entry.
+.RE
.SH EXAMPLE
## Enable quickleave
diff --git a/src/config.c b/src/config.c
index 5a96ce0..d72619f 100644
--- a/src/config.c
+++ b/src/config.c
@@ -46,6 +46,9 @@ struct vifconfig {
// Keep allowed nets for VIF.
struct SubnetList* allowednets;
+
+ // Allowed Groups
+ struct SubnetList* allowedgroups;
// Next config in list...
struct vifconfig* next;
@@ -202,6 +205,8 @@ void configureVifs() {
// Insert the configured nets...
vifLast->next = confPtr->allowednets;
+ Dp->allowedgroups = confPtr->allowedgroups;
+
break;
}
}
@@ -215,7 +220,7 @@ void configureVifs() {
*/
struct vifconfig *parsePhyintToken() {
struct vifconfig *tmpPtr;
- struct SubnetList **anetPtr;
+ struct SubnetList **anetPtr, **agrpPtr;
char *token;
short parseError = 0;
@@ -239,6 +244,7 @@ struct vifconfig *parsePhyintToken() {
tmpPtr->threshold = 1;
tmpPtr->state = IF_STATE_DOWNSTREAM;
tmpPtr->allowednets = NULL;
+ tmpPtr->allowedgroups = NULL;
// Make a copy of the token to store the IF name
tmpPtr->name = strdup( token );
@@ -248,6 +254,7 @@ struct vifconfig *parsePhyintToken() {
// Set the altnet pointer to the allowednets pointer.
anetPtr = &tmpPtr->allowednets;
+ agrpPtr = &tmpPtr->allowedgroups;
// Parse the rest of the config..
token = nextConfigToken();
@@ -266,6 +273,20 @@ struct vifconfig *parsePhyintToken() {
anetPtr = &(*anetPtr)->next;
}
}
+ else if(strcmp("whitelist", token)==0) {
+ // Whitelist
+ token = nextConfigToken();
+ my_log(LOG_DEBUG, 0, "Config: IF: Got whitelist token %s.", token);
+
+ *agrpPtr = parseSubnetAddress(token);
+ if(*agrpPtr == NULL) {
+ parseError = 1;
+ my_log(LOG_WARNING, 0, "Unable to parse subnet address.");
+ break;
+ } else {
+ agrpPtr = &(*agrpPtr)->next;
+ }
+ }
else if(strcmp("upstream", token)==0) {
// Upstream
my_log(LOG_DEBUG, 0, "Config: IF: Got upstream token.");
diff --git a/src/igmpproxy.h b/src/igmpproxy.h
index 4dabd1c..0de7791 100644
--- a/src/igmpproxy.h
+++ b/src/igmpproxy.h
@@ -145,6 +145,7 @@ struct IfDesc {
short Flags;
short state;
struct SubnetList* allowednets;
+ struct SubnetList* allowedgroups;
unsigned int robustness;
unsigned char threshold; /* ttl limit */
unsigned int ratelimit;
diff --git a/src/request.c b/src/request.c
index e3589f6..89b91de 100644
--- a/src/request.c
+++ b/src/request.c
@@ -82,10 +82,22 @@ void acceptGroupReport(uint32_t src, uint32_t group, uint8_t type) {
my_log(LOG_DEBUG, 0, "Should insert group %s (from: %s) to route table. Vif Ix : %d",
inetFmt(group,s1), inetFmt(src,s2), sourceVif->index);
- // The membership report was OK... Insert it into the route table..
- insertRoute(group, sourceVif->index);
-
-
+ // If we don't have a whitelist we insertRoute and done
+ if(sourceVif->allowedgroups == NULL)
+ {
+ insertRoute(group, sourceVif->index);
+ return;
+ }
+ // Check if this Request is legit on this interface
+ struct SubnetList *sn;
+ for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next)
+ if((group & sn->subnet_mask) == sn->subnet_addr)
+ {
+ // The membership report was OK... Insert it into the route table..
+ insertRoute(group, sourceVif->index);
+ return;
+ }
+ my_log(LOG_INFO, 0, "The group address %s may not be requested from this interface. Ignoring.", inetFmt(group, s1));
} else {
// Log the state of the interface the report was recieved on.
my_log(LOG_INFO, 0, "Mebership report was recieved on %s. Ignoring.",
--
1.7.8.1

80
packages/net/igmpproxy/files/0001-Send-IGMP-packets-with-IP-Router-Alert-option-RFC-21.patch Normal file
View File

@ -0,0 +1,80 @@
From fed8c3db10bc9d3a1e799a774924c00522595d0c Mon Sep 17 00:00:00 2001
From: Evgeny Yurchenko <evg.yurch@rogers.com>
Date: Mon, 4 Jan 2010 05:13:59 +0500
Subject: [PATCH 1/3] Send IGMP packets with IP Router Alert option [RFC 2113]
included in IP header
---
src/igmp.c | 17 ++++++++++++-----
src/igmpproxy.h | 1 +
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/igmp.c b/src/igmp.c
index a0cd27d..b547688 100644
--- a/src/igmp.c
+++ b/src/igmp.c
@@ -67,7 +67,7 @@ void initIgmp() {
* - Checksum (let the kernel fill it in)
*/
ip->ip_v = IPVERSION;
- ip->ip_hl = sizeof(struct ip) >> 2;
+ ip->ip_hl = (sizeof(struct ip) + 4) >> 2; /* +4 for Router Alert option */
ip->ip_tos = 0xc0; /* Internet Control */
ip->ip_ttl = MAXTTL; /* applies to unicasts only */
ip->ip_p = IPPROTO_IGMP;
@@ -213,7 +213,7 @@ void buildIgmp(uint32_t src, uint32_t dst, int type, int code, uint32_t group, i
ip = (struct ip *)send_buf;
ip->ip_src.s_addr = src;
ip->ip_dst.s_addr = dst;
- ip_set_len(ip, MIN_IP_HEADER_LEN + IGMP_MINLEN + datalen);
+ ip_set_len(ip, IP_HEADER_RAOPT_LEN + IGMP_MINLEN + datalen);
if (IN_MULTICAST(ntohl(dst))) {
ip->ip_ttl = curttl;
@@ -221,13 +221,20 @@ void buildIgmp(uint32_t src, uint32_t dst, int type, int code, uint32_t group, i
ip->ip_ttl = MAXTTL;
}
- igmp = (struct igmp *)(send_buf + MIN_IP_HEADER_LEN);
+ /* Add Router Alert option */
+ ((u_char*)send_buf+MIN_IP_HEADER_LEN)[0] = IPOPT_RA;
+ ((u_char*)send_buf+MIN_IP_HEADER_LEN)[1] = 0x04;
+ ((u_char*)send_buf+MIN_IP_HEADER_LEN)[2] = 0x00;
+ ((u_char*)send_buf+MIN_IP_HEADER_LEN)[3] = 0x00;
+
+ igmp = (struct igmp *)(send_buf + IP_HEADER_RAOPT_LEN);
igmp->igmp_type = type;
igmp->igmp_code = code;
igmp->igmp_group.s_addr = group;
igmp->igmp_cksum = 0;
igmp->igmp_cksum = inetChksum((u_short *)igmp,
- IGMP_MINLEN + datalen);
+ IP_HEADER_RAOPT_LEN + datalen);
+
}
/*
@@ -257,7 +264,7 @@ void sendIgmp(uint32_t src, uint32_t dst, int type, int code, uint32_t group, in
#endif
sdst.sin_addr.s_addr = dst;
if (sendto(MRouterFD, send_buf,
- MIN_IP_HEADER_LEN + IGMP_MINLEN + datalen, 0,
+ IP_HEADER_RAOPT_LEN + IGMP_MINLEN + datalen, 0,
(struct sockaddr *)&sdst, sizeof(sdst)) < 0) {
if (errno == ENETDOWN)
my_log(LOG_ERR, errno, "Sender VIF was down.");
diff --git a/src/igmpproxy.h b/src/igmpproxy.h
index 0de7791..4df8a79 100644
--- a/src/igmpproxy.h
+++ b/src/igmpproxy.h
@@ -64,6 +64,7 @@
#define MAX_IP_PACKET_LEN 576
#define MIN_IP_HEADER_LEN 20
#define MAX_IP_HEADER_LEN 60
+#define IP_HEADER_RAOPT_LEN 24
#define MAX_MC_VIFS 32 // !!! check this const in the specific includes
--
1.7.8.1

44
packages/net/igmpproxy/files/0002-Change-default-interface-state-to-disabled-wrt-29458.patch Normal file
View File

@ -0,0 +1,44 @@
From 85e240727305b156097ee7aa0f0c4473a136291f Mon Sep 17 00:00:00 2001
From: Constantin Baranov <const@mimas.ru>
Date: Tue, 23 Feb 2010 21:08:02 +0400
Subject: [PATCH 2/3] Change default interface state to disabled (wrt
#2945877)
---
src/ifvc.c | 2 +-
src/igmpproxy.c | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/ifvc.c b/src/ifvc.c
index 545b3b4..9d7ee97 100644
--- a/src/ifvc.c
+++ b/src/ifvc.c
@@ -139,7 +139,7 @@ void buildIfVc() {
IfDescEp->allowednets->subnet_addr = subnet;
// Set the default params for the IF...
- IfDescEp->state = IF_STATE_DOWNSTREAM;
+ IfDescEp->state = IF_STATE_DISABLED;
IfDescEp->robustness = DEFAULT_ROBUSTNESS;
IfDescEp->threshold = DEFAULT_THRESHOLD; /* ttl limit */
IfDescEp->ratelimit = DEFAULT_RATELIMIT;
diff --git a/src/igmpproxy.c b/src/igmpproxy.c
index 1ece15a..35000c7 100644
--- a/src/igmpproxy.c
+++ b/src/igmpproxy.c
@@ -186,8 +186,10 @@ int igmpProxyInit() {
}
}
- addVIF( Dp );
- vifcount++;
+ if (Dp->state != IF_STATE_DISABLED) {
+ addVIF( Dp );
+ vifcount++;
+ }
}
}
--
1.7.8.1

62
packages/net/igmpproxy/files/0003-Restrict-igmp-reports-forwarding-to-upstream-interfa.patch Normal file
View File

@ -0,0 +1,62 @@
From bcd7c648e86d97263c931de53a008c9629e7797e Mon Sep 17 00:00:00 2001
From: Stefan Becker <stefan.becker@nokia.com>
Date: Fri, 11 Dec 2009 21:08:57 +0200
Subject: [PATCH 3/3] Restrict igmp reports forwarding to upstream interface
Utilize the new "whitelist" keyword also on the upstream interface definition.
If specified then only whitelisted multicast groups will be forwarded upstream.
This can be used to avoid publishing private multicast groups to the world,
e.g. SSDP from a UPnP server on the internal network.
---
doc/igmpproxy.conf.5.in | 5 +++++
src/rttable.c | 17 +++++++++++++++++
2 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/doc/igmpproxy.conf.5.in b/doc/igmpproxy.conf.5.in
index 56efa22..d916f05 100644
--- a/doc/igmpproxy.conf.5.in
+++ b/doc/igmpproxy.conf.5.in
@@ -134,6 +134,11 @@ You may specify as many whitelist entries as needed. Although you should keep it
possible, as this list is parsed for every membership report and therefore this increases igmp
response times. Often used or large groups should be defined first, as parsing ends as soon as
a group matches an entry.
+
+You may also specify whitelist entries for the upstream interface. Only igmp membership reports
+for explicitely whitelisted multicast groups will be sent out on the upstream interface. This
+is useful if you want to use multicast groups only between your downstream interfaces, like SSDP
+from a UPnP server.
.RE
.SH EXAMPLE
diff --git a/src/rttable.c b/src/rttable.c
index f0701a8..77dd791 100644
--- a/src/rttable.c
+++ b/src/rttable.c
@@ -117,6 +117,23 @@ void sendJoinLeaveUpstream(struct RouteTable* route, int join) {
my_log(LOG_ERR, 0 ,"FATAL: Unable to get Upstream IF.");
}
+ // Check if there is a white list for the upstram VIF
+ if (upstrIf->allowedgroups != NULL) {
+ uint32_t group = route->group;
+ struct SubnetList* sn;
+
+ // Check if this Request is legit to be forwarded to upstream
+ for(sn = upstrIf->allowedgroups; sn != NULL; sn = sn->next)
+ if((group & sn->subnet_mask) == sn->subnet_addr)
+ // Forward is OK...
+ break;
+
+ if (sn == NULL) {
+ my_log(LOG_INFO, 0, "The group address %s may not be forwarded upstream. Ignoring.", inetFmt(group, s1));
+ return;
+ }
+ }
+
// Send join or leave request...
if(join) {
--
1.7.8.1

8
packages/net/igmpproxy/igmpproxy-0.1_beta5.exheres-0 → packages/net/igmpproxy/igmpproxy-0.1.exheres-0
View File

@ -14,8 +14,16 @@ MYOPTIONS="baselayout"
DEPENDENCIES=""
DEFAULT_SRC_PREPARE_PATCHES=(
"${FILES}/0001-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch"
"${FILES}/0001-Send-IGMP-packets-with-IP-Router-Alert-option-RFC-21.patch"
"${FILES}/0002-Change-default-interface-state-to-disabled-wrt-29458.patch"
"${FILES}/0003-Restrict-igmp-reports-forwarding-to-upstream-interfa.patch"
)
src_install() {
default
if option baselayout ; then
newinitd "${FILES}/igmpproxy-init.d" igmpproxy
newconfd "${FILES}/igmpproxy-conf.d" igmpproxy