Multicast issue, interface not leaving Mutlicast Group

Abelenda Diego diego.abelenda at gmail.com
Fri Aug 7 13:25:34 UTC 2020 

Hello,

I have discovered that I had a multicast issue for years I did not know about. I use a FreeBSD (opnsense) setup as router for my home network and have igmpproxy for IPTV. Somehow everything seems to work, until I realized that my ISP was making a DoS with multicast. It is pretty much what was described years ago here: https://forum.netgate.com/topic/62591/igmp-issues-causing-isp-to-perform-multicast-dos-on-my-pfsense/7. But the solution of not using FreeBSD seem weird. So dug a lot learning about Multicast IGMPv{2,3} etc in the process. Here is an abstract of what I found:


igmpproxy is performing "correctly" in that it will act upon to IGMPv2 Join request from the TV box by joining the multicast groups correctly.
When the TV Box sends an IGMPv2 Leave request, igmpproxy will remove the source IP from the multicast table on the interface (the code is here https://github.com/pali/igmpproxy/blob/b7940fc75b36d5bcc3a07654fc1af76f179302a9/src/mcgroup.c#L58-L60 this same call is used for joining and leaving).

This is where things start to go awry, as the action igmpproxy takes is not considered leaving the Multicast Group, so when the upstream multicast router sends an IGMPv3 Query, the Multicast Group is still listed in the IGMPv3 Report but in Exclude mode with the source listed in the excluded IPs.
My ISP sees that the Group is still listed so it continues to send the multicast traffic apparently ignoring that the source is Excluded.

Worst part is that killing igmpproxy changes nothing because the IGMPv3 Report is still sent (by the kernel I suppose since nothing should be running anymore) and includes the Multicast Groups as before. The only thing that resets the state of the Group Membership is bringing down the interface and reconfiguring it.

Is this caused by a wrong "leave" handling by igmpproxy? (if yes is there an alternative ?) Is there any way to manually leaving Multicast Groups? I can see the Multicast forwarding table while igmpproxy is running with "netstat -g". I can also see the group membership state with "ifmcstat -i re1" but I have found no way to actually modify the membership of the interface.


Extra info:
When igmpproxy is running I can see two different kinds of entries in the Multicast Forwarding Table. For a Multicast group that is currently "joined" according to igmpproxy I can see a line something like:
IPv4 Multicast Forwarding Table
 Origin          Group             Packets In-Vif  Out-Vifs:Ttls
 213.3.72.5      239.186.64.71       10763  2


For a multicast group that was previously joined but should not be anymore I see:
IPv4 Multicast Forwarding Table
 Origin          Group             Packets In-Vif  Out-Vifs:Ttls
 213.3.72.5      239.186.68.20           0  65535   


ifmcstat shows the multicast groups, with exclude mode set:
# ifmcstat -i re1
re1:
	inet $MY_PUBLIC_IP
	igmpv3 rv 2 qi 30 qri 50 uri 3
		group 239.186.64.71 mode exclude
			mcast-macaddr 01:00:5e:3a:40:47
		group 239.186.70.37 mode exclude
			mcast-macaddr 01:00:5e:3a:46:25
		group 239.186.68.242 mode exclude
			mcast-macaddr 01:00:5e:3a:44:f2
		group 239.186.68.178 mode exclude
			mcast-macaddr 01:00:5e:3a:44:b2
		group 239.186.68.20 mode exclude
			mcast-macaddr 01:00:5e:3a:44:14
		group 239.186.68.3 mode exclude
			mcast-macaddr 01:00:5e:3a:44:03
[...]


Best regards,
Diego Abelenda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200807/647f94f4/attachment.sig>

More information about the freebsd-net mailing list