diff options
Diffstat (limited to 'package/network/services/igmpproxy/patches/003-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch')
-rw-r--r-- | package/network/services/igmpproxy/patches/003-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch | 164 |
1 files changed, 0 insertions, 164 deletions
diff --git a/package/network/services/igmpproxy/patches/003-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch b/package/network/services/igmpproxy/patches/003-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch deleted file mode 100644 index 90d4d5f25f..0000000000 --- a/package/network/services/igmpproxy/patches/003-Restrict-igmp-reports-for-downstream-interfaces-wrt-.patch +++ /dev/null @@ -1,164 +0,0 @@ -From 65f777e7f66b55239d935c1cf81bb5abc0f6c89f Mon Sep 17 00:00:00 2001 -From: Grinch <grinch79@users.sourceforge.net> -Date: Sun, 16 Aug 2009 19:58:26 +0500 -Subject: [PATCH] Restrict igmp reports for downstream interfaces (wrt #2833339) - -atm all igmp membership reports are forwarded to the upstream interface. -Unfortunately some ISP Providers restrict some multicast groups (esp. those -that are defined as local link groups and that are not supposed to be -forwarded to the wan, i.e 224.0.0.0/24). Therefore there should be some -kind of black oder whitelisting. -As whitelisting can be accomplished quite easy I wrote a litte patch, which -is attached to this request. ---- - doc/igmpproxy.conf.5.in | 19 +++++++++++++++++++ - src/config.c | 23 ++++++++++++++++++++++- - src/igmpproxy.h | 1 + - src/request.c | 20 ++++++++++++++++---- - 4 files changed, 58 insertions(+), 5 deletions(-) - -diff --git a/doc/igmpproxy.conf.5.in b/doc/igmpproxy.conf.5.in -index a4ea7d0..56efa22 100644 ---- a/doc/igmpproxy.conf.5.in -+++ b/doc/igmpproxy.conf.5.in -@@ -116,6 +116,25 @@ This is especially useful for the upstream interface, since the source for multi - traffic is often from a remote location. Any number of altnet parameters can be specified. - .RE - -+.B whitelist -+.I networkaddr -+.RS -+Defines a whitelist for multicast groups. The network address must be in the following -+format 'a.b.c.d/n'. If you want to allow one single group use a network mask of /32, -+i.e. 'a.b.c.d/32'. -+ -+By default all multicast groups are allowed on any downstream interface. If at least one -+whitelist entry is defined, all igmp membership reports for not explicitly whitelisted -+multicast groups will be ignored and therefore not be served by igmpproxy. This is especially -+useful, if your provider does only allow a predefined set of multicast groups. These whitelists -+are only obeyed by igmpproxy itself, they won't prevent any other igmp client running on the -+same machine as igmpproxy from requesting 'unallowed' multicast groups. -+ -+You may specify as many whitelist entries as needed. Although you should keep it as simple as -+possible, as this list is parsed for every membership report and therefore this increases igmp -+response times. Often used or large groups should be defined first, as parsing ends as soon as -+a group matches an entry. -+.RE - - .SH EXAMPLE - ## Enable quickleave -diff --git a/src/config.c b/src/config.c -index 5a96ce0..d72619f 100644 ---- a/src/config.c -+++ b/src/config.c -@@ -46,6 +46,9 @@ struct vifconfig { - - // Keep allowed nets for VIF. - struct SubnetList* allowednets; -+ -+ // Allowed Groups -+ struct SubnetList* allowedgroups; - - // Next config in list... - struct vifconfig* next; -@@ -202,6 +205,8 @@ void configureVifs() { - // Insert the configured nets... - vifLast->next = confPtr->allowednets; - -+ Dp->allowedgroups = confPtr->allowedgroups; -+ - break; - } - } -@@ -215,7 +220,7 @@ void configureVifs() { - */ - struct vifconfig *parsePhyintToken() { - struct vifconfig *tmpPtr; -- struct SubnetList **anetPtr; -+ struct SubnetList **anetPtr, **agrpPtr; - char *token; - short parseError = 0; - -@@ -239,6 +244,7 @@ struct vifconfig *parsePhyintToken() { - tmpPtr->threshold = 1; - tmpPtr->state = IF_STATE_DOWNSTREAM; - tmpPtr->allowednets = NULL; -+ tmpPtr->allowedgroups = NULL; - - // Make a copy of the token to store the IF name - tmpPtr->name = strdup( token ); -@@ -248,6 +254,7 @@ struct vifconfig *parsePhyintToken() { - - // Set the altnet pointer to the allowednets pointer. - anetPtr = &tmpPtr->allowednets; -+ agrpPtr = &tmpPtr->allowedgroups; - - // Parse the rest of the config.. - token = nextConfigToken(); -@@ -266,6 +273,20 @@ struct vifconfig *parsePhyintToken() { - anetPtr = &(*anetPtr)->next; - } - } -+ else if(strcmp("whitelist", token)==0) { -+ // Whitelist -+ token = nextConfigToken(); -+ my_log(LOG_DEBUG, 0, "Config: IF: Got whitelist token %s.", token); -+ -+ *agrpPtr = parseSubnetAddress(token); -+ if(*agrpPtr == NULL) { -+ parseError = 1; -+ my_log(LOG_WARNING, 0, "Unable to parse subnet address."); -+ break; -+ } else { -+ agrpPtr = &(*agrpPtr)->next; -+ } -+ } - else if(strcmp("upstream", token)==0) { - // Upstream - my_log(LOG_DEBUG, 0, "Config: IF: Got upstream token."); -diff --git a/src/igmpproxy.h b/src/igmpproxy.h -index 4dabd1c..0de7791 100644 ---- a/src/igmpproxy.h -+++ b/src/igmpproxy.h -@@ -145,6 +145,7 @@ struct IfDesc { - short Flags; - short state; - struct SubnetList* allowednets; -+ struct SubnetList* allowedgroups; - unsigned int robustness; - unsigned char threshold; /* ttl limit */ - unsigned int ratelimit; -diff --git a/src/request.c b/src/request.c -index e3589f6..89b91de 100644 ---- a/src/request.c -+++ b/src/request.c -@@ -82,10 +82,22 @@ void acceptGroupReport(uint32_t src, uint32_t group, uint8_t type) { - my_log(LOG_DEBUG, 0, "Should insert group %s (from: %s) to route table. Vif Ix : %d", - inetFmt(group,s1), inetFmt(src,s2), sourceVif->index); - -- // The membership report was OK... Insert it into the route table.. -- insertRoute(group, sourceVif->index); -- -- -+ // If we don't have a whitelist we insertRoute and done -+ if(sourceVif->allowedgroups == NULL) -+ { -+ insertRoute(group, sourceVif->index); -+ return; -+ } -+ // Check if this Request is legit on this interface -+ struct SubnetList *sn; -+ for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next) -+ if((group & sn->subnet_mask) == sn->subnet_addr) -+ { -+ // The membership report was OK... Insert it into the route table.. -+ insertRoute(group, sourceVif->index); -+ return; -+ } -+ my_log(LOG_INFO, 0, "The group address %s may not be requested from this interface. Ignoring.", inetFmt(group, s1)); - } else { - // Log the state of the interface the report was recieved on. - my_log(LOG_INFO, 0, "Mebership report was recieved on %s. Ignoring.", --- -1.7.2.5 - |