mcproxy: fix block/filtering code

mcproxy supports a generic filtering/blacklisting mechanism but it’s currently
broken. In the case of routed video (e.g. mcproxy routing video from
WAN -> LAN), it will forward multicast between the LAN and WAN. There are
perfectly valid use cases for this like reporting but other less-appropriate
things like mDNS and SSDP leak through from LAN -> WAN which is bad.

Signed-off-by: Sukru Senli <sukru.senli@iopsys.eu>
Signed-off-by: Chad Monroe <chad.monroe@smartrg.com>
Signed-off-by: John Crispin <john@phrozen.org>

diff --git a/mcproxy/files/mcproxy.config b/mcproxy/files/mcproxy.config
index 10cc41066aab0a6af24f174280d3e44e27f8dad3..e80b6023739ff289847346763c78fdbac9867efd 100644 (file)
--- a/mcproxy/files/mcproxy.config
+++ b/mcproxy/files/mcproxy.config
@@ -229,3 +229,11 @@ config behaviour
        option direction 'out'
        option whitelist '1'
        option table '{(*|*)}'
+
+config blocks
+       # mDNS
+       list entries '(*|239.255.255.0/24)'
+       # SSDP
+       list entries '(*|224.0.0.0/24)'
+       # SLP
+       list entries '(*|239.192.0.0/16)'

diff --git a/mcproxy/patches/0005-fix-match-filter-calls.patch b/mcproxy/patches/0005-fix-match-filter-calls.patch
new file mode 100644 (file)
index 0000000..c6956e0
--- /dev/null
+++ b/mcproxy/patches/0005-fix-match-filter-calls.patch
@@ -0,0 +1,46 @@
+--- a/mcproxy/src/proxy/simple_mc_proxy_routing.cpp
++++ b/mcproxy/src/proxy/simple_mc_proxy_routing.cpp
+@@ -118,13 +118,13 @@ void interface_memberships::process_upst
+             for (auto source_it = cs.first.m_source_list.begin(); source_it != cs.first.m_source_list.end();) {
+ 
+                 //downstream out
+-                if (!cs.second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {
++                if (!cs.second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {
+                     source_it = cs.first.m_source_list.erase(source_it);
+                     continue;
+                 }
+ 
+                 //upstream in
+-                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {
++                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {
+                     tmp_sstate.m_source_list.insert(*source_it);
+                     source_it = cs.first.m_source_list.erase(source_it);
+                     continue;
+@@ -175,13 +175,13 @@ void interface_memberships::process_upst
+             for (auto source_it = cs_it->first.m_source_list.begin(); source_it != cs_it->first.m_source_list.end();) {
+ 
+                 //downstream out
+-                if (!cs_it->second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {
++                if (!cs_it->second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {
+                     ++source_it;
+                     continue;
+                 }
+ 
+                 //upstream in
+-                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {
++                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {
+                     ++source_it;
+                     continue;
+                 }
+@@ -619,9 +619,9 @@ bool simple_mc_proxy_routing::check_inte
+     std::string input_if_index_name = interfaces::get_if_name(input_if_index);
+     if (!input_if_index_name.empty()) {
+         if (interface_direction == ID_IN) {
+-            return interf->match_input_filter(input_if_index_name, gaddr, saddr);
++            return interf->match_input_filter(input_if_index_name, saddr, gaddr);
+         } else if (interface_direction == ID_OUT) {
+-            return interf->match_output_filter(input_if_index_name, gaddr, saddr);
++            return interf->match_output_filter(input_if_index_name, saddr, gaddr);
+         } else {
+             HC_LOG_ERROR("unkown interface direction");
+             return false;

diff --git a/mcproxy/patches/0006-block-ingress.patch b/mcproxy/patches/0006-block-ingress.patch
new file mode 100644 (file)
index 0000000..c8bcdb3
--- /dev/null
+++ b/mcproxy/patches/0006-block-ingress.patch
@@ -0,0 +1,104 @@
+--- a/mcproxy/src/proxy/proxy_instance.cpp
++++ b/mcproxy/src/proxy/proxy_instance.cpp
+@@ -171,6 +171,9 @@ void proxy_instance::worker_thread()
+     HC_LOG_TRACE("");
+     while (m_running) {
+         auto msg = m_job_queue.dequeue();
++
++              HC_LOG_DEBUG("Proxy Message: " << msg->get_message_type_name(msg->get_type()) );
++
+         switch (msg->get_type()) {
+         case proxy_msg::TEST_MSG:
+             (*msg)();
+@@ -190,28 +193,80 @@ void proxy_instance::worker_thread()
+             } else {
+                 HC_LOG_DEBUG("failed to find querier of interface: " << interfaces::get_if_name(std::static_pointer_cast<timer_msg>(msg)->get_if_index()));
+             }
+-        }
++              }
+         break;
+         case proxy_msg::GROUP_RECORD_MSG: {
+-            auto r =  std::static_pointer_cast<group_record_msg>(msg);
++            auto gr =  std::static_pointer_cast<group_record_msg>(msg);
+ 
+             if (m_in_debug_testing_mode) {
+                 std::cout << "!!--ACTION: receive record" << std::endl;
+-                std::cout << *r << std::endl;
++                std::cout << *gr << std::endl;
+                 std::cout << std::endl;
+             }
+ 
+-            auto it = m_downstreams.find(r->get_if_index());
++                      auto slist = gr->get_slist();
++                      addr_storage saddr;
++                      if ( slist.empty() )
++                      {
++                              saddr = "0.0.0.0";
++                      }
++                      else
++                      {
++                              saddr = slist.begin()->saddr;
++                      }
++            auto it = m_downstreams.find(gr->get_if_index());
+             if (it != std::end(m_downstreams)) {
+-                it->second.m_querier->receive_record(msg);
++                              // Check for input filters
++                              if ( ! it->second.m_interface->match_input_filter( interfaces::get_if_name( gr->get_if_index() ),
++                                                                                                         saddr,
++                                                                                                         gr->get_gaddr() )
++                                       )
++                              {
++                                      HC_LOG_DEBUG("group report " << gr->get_gaddr() << " filtered");
++                              }
++                              else
++                              {
++                                      it->second.m_querier->receive_record(msg);
++                              }
+             } else {
+-                HC_LOG_DEBUG("failed to find querier of interface: " << interfaces::get_if_name(std::static_pointer_cast<timer_msg>(msg)->get_if_index()));
++                HC_LOG_DEBUG("failed to find querier of interface: " << interfaces::get_if_name( gr->get_if_index() ));
+             }
+-        }
++              }
++        break;
++        case proxy_msg::NEW_SOURCE_MSG: {
++                      auto sm = std::static_pointer_cast<new_source_msg>(msg);
++                      // Find the interface
++                      std::shared_ptr<interface> interf;
++                      auto it = m_downstreams.find(sm->get_if_index());
++                      if (it != std::end(m_downstreams)) {
++                              interf = it->second.m_interface;
++                      } else {
++                              for (auto & e : m_upstreams) {
++                                      if (e.m_if_index == sm->get_if_index()) {
++                                              interf = e.m_interface;
++                                              break;
++                                      }
++                              }
++                      }
++                      if ( !interf )
++                      {
++                              HC_LOG_DEBUG("failed to find interface: " << interfaces::get_if_name( sm->get_if_index() ) << " for Source message " << sm->get_saddr()  << " | " << sm->get_gaddr() );
++                              break;
++                      }
++                      // Check for input filters
++                      if ( ! interf->match_input_filter( interfaces::get_if_name( sm->get_if_index() ),
++                                                                                                         sm->get_saddr(),
++                                                                                                         sm->get_gaddr() )
++                                       )
++                      {
++                              HC_LOG_DEBUG("source " << sm->get_saddr()  << " | " << sm->get_gaddr() << " filtered");
++                      }
++                      else
++                      {
++                              m_routing_management->event_new_source(msg);
++                      }
++              }
+         break;
+-        case proxy_msg::NEW_SOURCE_MSG:
+-            m_routing_management->event_new_source(msg);
+-            break;
+         case proxy_msg::NEW_SOURCE_TIMER_MSG:
+             m_routing_management->timer_triggerd_maintain_routing_table(msg);
+             break;
+             return false;