mcproxy: fix block/filtering code

mcproxy supports a generic filtering/blacklisting mechanism but it’s currently broken. In the case of routed video (e.g. mcproxy routing video from WAN -> LAN), it will forward multicast between the LAN and WAN. There are perfectly valid use cases for this like reporting but other less-appropriate things like mDNS and SSDP leak through from LAN -> WAN which is bad. Signed-off-by: Sukru Senli <sukru.senli@iopsys.eu> Signed-off-by: Chad Monroe <chad.monroe@smartrg.com> Signed-off-by: John Crispin <john@phrozen.org>
2019-06-05 20:30:54 +02:00 · 2019-06-05 20:30:54 +02:00 · 490971e8e5
parent 35b886649b
commit 490971e8e5
3 changed files with 158 additions and 0 deletions
--- a/mcproxy/files/mcproxy.config
+++ b/mcproxy/files/mcproxy.config
@ -229,3 +229,11 @@ config behaviour
 	option direction 'out'
 	option whitelist '1'
 	option table '{(*|*)}'
+
+config blocks
+	# mDNS
+	list entries '(*|239.255.255.0/24)'
+	# SSDP
+	list entries '(*|224.0.0.0/24)'
+	# SLP
+	list entries '(*|239.192.0.0/16)'
--- a/mcproxy/patches/0005-fix-match-filter-calls.patch
+++ b/mcproxy/patches/0005-fix-match-filter-calls.patch
@ -0,0 +1,46 @@
+--- a/mcproxy/src/proxy/simple_mc_proxy_routing.cpp
+++ b/mcproxy/src/proxy/simple_mc_proxy_routing.cpp
+@@ -118,13 +118,13 @@ void interface_memberships::process_upst
+             for (auto source_it = cs.first.m_source_list.begin(); source_it != cs.first.m_source_list.end();) {
+ 
+                 //downstream out
+-                if (!cs.second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {
+                if (!cs.second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {
+                     source_it = cs.first.m_source_list.erase(source_it);
+                     continue;
+                 }
+ 
+                 //upstream in
+-                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {
+                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {
+                     tmp_sstate.m_source_list.insert(*source_it);
+                     source_it = cs.first.m_source_list.erase(source_it);
+                     continue;
+@@ -175,13 +175,13 @@ void interface_memberships::process_upst
+             for (auto source_it = cs_it->first.m_source_list.begin(); source_it != cs_it->first.m_source_list.end();) {
+ 
+                 //downstream out
+-                if (!cs_it->second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {
+                if (!cs_it->second->match_output_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {
+                     ++source_it;
+                     continue;
+                 }
+ 
+                 //upstream in
+-                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), gaddr, source_it->saddr)) {
+                if (!upstr_e.m_interface->match_input_filter(interfaces::get_if_name(upstr_e.m_if_index), source_it->saddr, gaddr)) {
+                     ++source_it;
+                     continue;
+                 }
+@@ -619,9 +619,9 @@ bool simple_mc_proxy_routing::check_inte
+     std::string input_if_index_name = interfaces::get_if_name(input_if_index);
+     if (!input_if_index_name.empty()) {
+         if (interface_direction == ID_IN) {
+-            return interf->match_input_filter(input_if_index_name, gaddr, saddr);
+            return interf->match_input_filter(input_if_index_name, saddr, gaddr);
+         } else if (interface_direction == ID_OUT) {
+-            return interf->match_output_filter(input_if_index_name, gaddr, saddr);
+            return interf->match_output_filter(input_if_index_name, saddr, gaddr);
+         } else {
+             HC_LOG_ERROR("unkown interface direction");
+             return false;
--- a/mcproxy/patches/0006-block-ingress.patch
+++ b/mcproxy/patches/0006-block-ingress.patch
@ -0,0 +1,104 @@
+--- a/mcproxy/src/proxy/proxy_instance.cpp
+++ b/mcproxy/src/proxy/proxy_instance.cpp
+@@ -171,6 +171,9 @@ void proxy_instance::worker_thread()
+     HC_LOG_TRACE("");
+     while (m_running) {
+         auto msg = m_job_queue.dequeue();
+
+		HC_LOG_DEBUG("Proxy Message: " << msg->get_message_type_name(msg->get_type()) );
+
+         switch (msg->get_type()) {
+         case proxy_msg::TEST_MSG:
+             (*msg)();
+@@ -190,28 +193,80 @@ void proxy_instance::worker_thread()
+             } else {
+                 HC_LOG_DEBUG("failed to find querier of interface: " << interfaces::get_if_name(std::static_pointer_cast<timer_msg>(msg)->get_if_index()));
+             }
+-        }
+		}
+         break;
+         case proxy_msg::GROUP_RECORD_MSG: {
+-            auto r =  std::static_pointer_cast<group_record_msg>(msg);
+            auto gr =  std::static_pointer_cast<group_record_msg>(msg);
+ 
+             if (m_in_debug_testing_mode) {
+                 std::cout << "!!--ACTION: receive record" << std::endl;
+-                std::cout << *r << std::endl;
+                std::cout << *gr << std::endl;
+                 std::cout << std::endl;
+             }
+ 
+-            auto it = m_downstreams.find(r->get_if_index());
+			auto slist = gr->get_slist();
+			addr_storage saddr;
+			if ( slist.empty() )
+			{
+				saddr = "0.0.0.0";
+			}
+			else
+			{
+				saddr = slist.begin()->saddr;
+			}
+            auto it = m_downstreams.find(gr->get_if_index());
+             if (it != std::end(m_downstreams)) {
+-                it->second.m_querier->receive_record(msg);
+				// Check for input filters
+				if ( ! it->second.m_interface->match_input_filter( interfaces::get_if_name( gr->get_if_index() ),
+													   saddr,
+													   gr->get_gaddr() )
+					 )
+				{
+					HC_LOG_DEBUG("group report " << gr->get_gaddr() << " filtered");
+				}
+				else
+				{
+					it->second.m_querier->receive_record(msg);
+				}
+             } else {
+-                HC_LOG_DEBUG("failed to find querier of interface: " << interfaces::get_if_name(std::static_pointer_cast<timer_msg>(msg)->get_if_index()));
+                HC_LOG_DEBUG("failed to find querier of interface: " << interfaces::get_if_name( gr->get_if_index() ));
+             }
+-        }
+		}
+        break;
+        case proxy_msg::NEW_SOURCE_MSG: {
+			auto sm = std::static_pointer_cast<new_source_msg>(msg);
+			// Find the interface
+			std::shared_ptr<interface> interf;
+			auto it = m_downstreams.find(sm->get_if_index());
+			if (it != std::end(m_downstreams)) {
+				interf = it->second.m_interface;
+			} else {
+				for (auto & e : m_upstreams) {
+					if (e.m_if_index == sm->get_if_index()) {
+						interf = e.m_interface;
+						break;
+					}
+				}
+			}
+			if ( !interf )
+			{
+				HC_LOG_DEBUG("failed to find interface: " << interfaces::get_if_name( sm->get_if_index() ) << " for Source message " << sm->get_saddr()  << " | " << sm->get_gaddr() );
+				break;
+			}
+			// Check for input filters
+			if ( ! interf->match_input_filter( interfaces::get_if_name( sm->get_if_index() ),
+													   sm->get_saddr(),
+													   sm->get_gaddr() )
+					 )
+			{
+				HC_LOG_DEBUG("source " << sm->get_saddr()  << " | " << sm->get_gaddr() << " filtered");
+			}
+			else
+			{
+				m_routing_management->event_new_source(msg);
+			}
+		}
+         break;
+-        case proxy_msg::NEW_SOURCE_MSG:
+-            m_routing_management->event_new_source(msg);
+-            break;
+         case proxy_msg::NEW_SOURCE_TIMER_MSG:
+             m_routing_management->timer_triggerd_maintain_routing_table(msg);
+             break;
+             return false;