blacklist support

[coli...@gmail.com]

Hi,

I'm using mcproxy version from the top of master branch from github.

I'm trying to block certain multicast groups from being added to the routing tables.

e.g.

239.255.255.250

My configurations is relatively simple, there is only one upstream and one downstream interface.

Here is what I have have for a configuration:

protocol IGMPv2;
pinstance video2lan: "br-video" ==> "br-lan";
table blocked {
        (*|239.255.255.250)
};
pinstance video2lan upstream "br-video" in blacklist table blocked;
pinstance video2lan upstream "br-video" out blacklist table blocked;
pinstance video2lan downstream "br-lan" in blacklist table blocked;
pinstance video2lan downstream "br-lan" out blacklist table blocked;

However, I still get this group in the route table:

 # ip mroute
(192.168.6.25, 239.255.255.250)  Iif: br-lan     Oifs: br-video 
(192.168.1.25, 239.255.255.250)  Iif: br-lan     Oifs: br-video 
(192.168.5.25, 239.255.255.250)  Iif: br-lan     Oifs: br-video 
(192.168.200.25, 239.255.255.250) Iif: br-lan     Oifs: br-video 
(10.0.3.161, 239.255.255.250)    Iif: br-video   Oifs: br-lan 

I've tried a number of variations on blacklist, but have not found anything that will work.

Is the blacklist actually implemented ?

Any thoughts on what I may be doing wrong ?

If I wanted to list more addresses in the table, what is the syntax ?

Colin..

[Sebastian Woelke]

Hello Colin,

> Is the blacklist actually implemented?
Yes, blacklists and whitelists are implemented, but unfortunately having a bug ...
Only the IGMP Include mode works adequate with filters.
Thats why this feature is not documented and I would not recommend to use it.

Besides, the configuration looks good, so you are running into the bug.
Unfortunately, I have also no free cycles to fix this in the near future.

For the sake of completness, a table with entries would look like this:
table blocked {
        (*|239.255.255.250)
        (*|239.255.255.251)
        (*|239.255.255.253)
};


Regards,
Sebastian

[coli...@gmail.com]

Ok, that explains it. Thanks for the info.

I'd like to get this to work as a firewall rule to block these groups is not really what I want. I just don't want them forwarded.

I can dig into the code and post a pull request if I figure it out.

Any pointers on where to start looking ?

Thanks,

Colin..

[Sebastian Woelke]

Hello Colin,

I tried to tackle this problem in the branche "bug_fix_multi_upstream_aggregation".
I added a unit test suite und I thought the commit "Finished multiupstream membership aggregation" would fix the problem.
Unfortunately, as the test suite shows it doesn't.

Class simple_membership_aggregation merges from all downstream the states with include and exclude lists, then filters them with blacklists and whitelists and creates and aggregates the result to multiple upsteams.
It is quite complex problem.
You could reduce the complexity by writing a class for just one upstream and e.g. interface specific blacklist and white lists.

Regards,
Sebastian

[coli...@gmail.com]

Here is a patch to fix the parameter order issue for the filtering...

--- a/mcproxy/src/proxy/simple_mc_proxy_routing.cpp

+++ b/mcproxy/src/proxy/simple_mc_proxy_routing.cpp

@@ -118,13 +118,13 @@ void interface_memberships::process_upst

             for (auto source_it = cs.first.m_source_list.begin(); source_it != cs.first.m_source_list.end();) {

 

                 //downstream out

-                if (!cs.second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {

+                if (!cs.second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {

                     source_it = cs.first.m_source_list.erase(source_it);

                     continue;

                 }

 

                 //upstream in

-                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {

+                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {

                     tmp_sstate.m_source_list.insert(*source_it);

                     source_it = cs.first.m_source_list.erase(source_it);

                     continue;

@@ -175,13 +175,13 @@ void interface_memberships::process_upst

             for (auto source_it = cs_it->first.m_source_list.begin(); source_it != cs_it->first.m_source_list.end();) {

 

                 //downstream out

-                if (!cs_it->second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {

+                if (!cs_it->second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {

                     ++source_it;

                     continue;

                 }

 

                 //upstream in

-                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {

+                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {

                     ++source_it;

                     continue;

                 }

@@ -619,9 +619,9 @@ bool simple_mc_proxy_routing::check_inte

     std::string input_if_index_name = interfaces::get_if_name(input_if_index);

     if (!input_if_index_name.empty()) {

         if (interface_direction == ID_IN) {

-            return interf->match_input_filter(input_if_index_name, gaddr, saddr);

+            return interf->match_input_filter(input_if_index_name, saddr, gaddr);

         } else if (interface_direction == ID_OUT) {

-            return interf->match_output_filter(input_if_index_name, gaddr, saddr);

+            return interf->match_output_filter(input_if_index_name, saddr, gaddr);

         } else {

             HC_LOG_ERROR("unkown interface direction");

             return false;