mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-27 11:13:24 +02:00
4bc434b8ad
Major change in these patches for the user is the addition of a whitelist item for up and downstream interfaces. Excerpt from one of patches: Defines a whitelist for multicast groups. The network address must be in the following format 'a.b.c.d/n'. If you want to allow one single group use a network mask of /32, i.e. 'a.b.c.d/32'. By default all multicast groups are allowed on any downstream interface. If at least one whitelist entry is defined, all igmp membership reports for not explicitly whitelisted multicast groups will be ignored and therefore not be served by igmpproxy. This is especially useful, if your provider does only allow a predefined set of multicast groups. These whitelists are only obeyed by igmpproxy itself, they won't prevent any other igmp client running on the same machine as igmpproxy from requesting 'unallowed' multicast groups. You may specify as many whitelist entries as needed. Although you should keep it as simple as possible, as this list is parsed for every membership report and therefore this increases igmp response times. Often used or large groups should be defined first, as parsing ends as soon as a group matches an entry.
63 lines
2.4 KiB
Diff
63 lines
2.4 KiB
Diff
From bcd7c648e86d97263c931de53a008c9629e7797e Mon Sep 17 00:00:00 2001
|
|
From: Stefan Becker <stefan.becker@nokia.com>
|
|
Date: Fri, 11 Dec 2009 21:08:57 +0200
|
|
Subject: [PATCH] Restrict igmp reports forwarding to upstream interface
|
|
|
|
Utilize the new "whitelist" keyword also on the upstream interface definition.
|
|
If specified then only whitelisted multicast groups will be forwarded upstream.
|
|
|
|
This can be used to avoid publishing private multicast groups to the world,
|
|
e.g. SSDP from a UPnP server on the internal network.
|
|
---
|
|
doc/igmpproxy.conf.5.in | 5 +++++
|
|
src/rttable.c | 17 +++++++++++++++++
|
|
2 files changed, 22 insertions(+), 0 deletions(-)
|
|
|
|
diff --git a/doc/igmpproxy.conf.5.in b/doc/igmpproxy.conf.5.in
|
|
index 56efa22..d916f05 100644
|
|
--- a/doc/igmpproxy.conf.5.in
|
|
+++ b/doc/igmpproxy.conf.5.in
|
|
@@ -134,6 +134,11 @@ You may specify as many whitelist entries as needed. Although you should keep it
|
|
possible, as this list is parsed for every membership report and therefore this increases igmp
|
|
response times. Often used or large groups should be defined first, as parsing ends as soon as
|
|
a group matches an entry.
|
|
+
|
|
+You may also specify whitelist entries for the upstream interface. Only igmp membership reports
|
|
+for explicitely whitelisted multicast groups will be sent out on the upstream interface. This
|
|
+is useful if you want to use multicast groups only between your downstream interfaces, like SSDP
|
|
+from a UPnP server.
|
|
.RE
|
|
|
|
.SH EXAMPLE
|
|
diff --git a/src/rttable.c b/src/rttable.c
|
|
index f0701a8..77dd791 100644
|
|
--- a/src/rttable.c
|
|
+++ b/src/rttable.c
|
|
@@ -117,6 +117,23 @@ void sendJoinLeaveUpstream(struct RouteTable* route, int join) {
|
|
my_log(LOG_ERR, 0 ,"FATAL: Unable to get Upstream IF.");
|
|
}
|
|
|
|
+ // Check if there is a white list for the upstram VIF
|
|
+ if (upstrIf->allowedgroups != NULL) {
|
|
+ uint32_t group = route->group;
|
|
+ struct SubnetList* sn;
|
|
+
|
|
+ // Check if this Request is legit to be forwarded to upstream
|
|
+ for(sn = upstrIf->allowedgroups; sn != NULL; sn = sn->next)
|
|
+ if((group & sn->subnet_mask) == sn->subnet_addr)
|
|
+ // Forward is OK...
|
|
+ break;
|
|
+
|
|
+ if (sn == NULL) {
|
|
+ my_log(LOG_INFO, 0, "The group address %s may not be forwarded upstream. Ignoring.", inetFmt(group, s1));
|
|
+ return;
|
|
+ }
|
|
+ }
|
|
+
|
|
// Send join or leave request...
|
|
if(join) {
|
|
|
|
--
|
|
1.7.2.5
|
|
|