profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/bket/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

bket/audacious-plugins 0

Plugins for Audacious music player

bket/borg 0

Deduplicating archiver with compression and authenticated encryption.

bket/bupstash 0

Easy and efficient encrypted backups.

bket/conf2struct 0

Create C parsers for libconfig and command-line, which get read directly to a `struct`

bket/git-cola 0

git-cola: The highly caffeinated Git GUI

bket/igmpproxy 0

IGMP multicast routing daemon

bket/lastpass-cli 0

LastPass command line interface tool

bket/lz4 0

Extremely Fast Compression algorithm

bket/mcast-proxy 0

Multicast Proxy for OpenBSD

bket/neomutt 0

:email: Teaching an Old Dog New Tricks -- IRC: #neomutt on irc.freenode.net

push eventbket/igmpproxy

Björn Ketelaars

commit sha cfad33001fc5031399bdd073048ca86889378678

Complement phyint whitelist with blacklist Fixes: #54 Implement new phyint configuration option (blacklist), which enables blocking of specific traffic.

view details

push time in 14 days

delete branch bket/igmpproxy

delete branch : blacklist

delete time in 14 days

PullRequestReviewEvent

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 static void sendJoinLeaveUpstream(struct RouteTable* route, int join) {                 my_log(LOG_ERR, 0 ,"FATAL: Unable to get Upstream IF.");             } -            // Check if there is a white list for the upstram VIF+            // Check if there is a black- or whitelist for the upstram VIF             if (upstrIf->allowedgroups != NULL) {-              uint32_t           group = route->group;-                struct SubnetList* sn;+                bool                 block_list = false;+                struct SubnetList   *match = NULL;+                struct SubnetList   *sn;+                uint32_t             group = route->group;                  // Check if this Request is legit to be forwarded to upstream-                for(sn = upstrIf->allowedgroups; sn != NULL; sn = sn->next)+                for(sn = upstrIf->allowedgroups; sn != NULL; sn = sn->next) {+                    // Check if there is a blacklist+                    if (!sn->allow)+                        block_list = true;                     if((group & sn->subnet_mask) == sn->subnet_addr)-                        // Forward is OK...-                        break;+                        match = sn;+                } -                if (sn == NULL) {+                if((block_list && match != NULL && !match->allow) ||+                  (!block_list && match == NULL)) {                     my_log(LOG_INFO, 0, "The group address %s may not be forwarded upstream. Ignoring.", inetFmt(group, s1));

Damnit, I'm starting to regret this PR ;-)

Should be fixed now.

I copied the evaluation from request.c, and negate the result.

                // Keep in sync with request.c, note the negation
                if(!((!allow_list && match == NULL) ||
                  (allow_list && match != NULL && match->allow))) {
bket

comment created time in 14 days

push eventbket/igmpproxy

Björn Ketelaars

commit sha cfad33001fc5031399bdd073048ca86889378678

Complement phyint whitelist with blacklist Fixes: #54 Implement new phyint configuration option (blacklist), which enables blocking of specific traffic.

view details

push time in 14 days

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 void acceptGroupReport(uint32_t src, uint32_t group) {         my_log(LOG_DEBUG, 0, "Should insert group %s (from: %s) to route table. Vif Ix : %d",             inetFmt(group,s1), inetFmt(src,s2), sourceVif->index); -        // If we don't have a whitelist we insertRoute and done+        // If we don't have a black- and whitelist we insertRoute and done         if(sourceVif->allowedgroups == NULL)         {             insertRoute(group, sourceVif->index, src);             return;         }+         // Check if this Request is legit on this interface-        struct SubnetList *sn;-        for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next)+        bool                 allow_list = 0;+        bool                 block_list = 0;

Changed to keyword...

bket

comment created time in 14 days

PullRequestReviewEvent

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 void acceptGroupReport(uint32_t src, uint32_t group) {         my_log(LOG_DEBUG, 0, "Should insert group %s (from: %s) to route table. Vif Ix : %d",             inetFmt(group,s1), inetFmt(src,s2), sourceVif->index); -        // If we don't have a whitelist we insertRoute and done+        // If we don't have a black- and whitelist we insertRoute and done         if(sourceVif->allowedgroups == NULL)         {             insertRoute(group, sourceVif->index, src);             return;         }+         // Check if this Request is legit on this interface-        struct SubnetList *sn;-        for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next)+        bool                 allow_list = 0;+        bool                 block_list = 0;+        struct SubnetList   *match = NULL;+        struct SubnetList   *sn;++        for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next) {+            // Check if there are black and/or whitelists+            if (sn->allow)+                allow_list = 1;+            else+                block_list = 1;             if((group & sn->subnet_mask) == sn->subnet_addr)-            {-                // The membership report was OK... Insert it into the route table..-                insertRoute(group, sourceVif->index, src);-                return;+                match = sn;+        }++        if((!allow_list && block_list &&+          (match == NULL || (match != NULL && match->allow ))) ||+          (allow_list && match != NULL && match->allow)) {

Evaluation has been documented in the manpage.

bket

comment created time in 14 days

PullRequestReviewEvent

push eventbket/igmpproxy

Björn Ketelaars

commit sha 20340c5fb614b5aa95b3552bf23ec3ec2e5bc6e4

Complement phyint whitelist with blacklist Fixes: #54 Implement new phyint configuration option (blacklist), which enables blocking of specific traffic.

view details

push time in 14 days

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 void acceptGroupReport(uint32_t src, uint32_t group) {         my_log(LOG_DEBUG, 0, "Should insert group %s (from: %s) to route table. Vif Ix : %d",             inetFmt(group,s1), inetFmt(src,s2), sourceVif->index); -        // If we don't have a whitelist we insertRoute and done+        // If we don't have a black- and whitelist we insertRoute and done         if(sourceVif->allowedgroups == NULL)         {             insertRoute(group, sourceVif->index, src);             return;         }+         // Check if this Request is legit on this interface-        struct SubnetList *sn;-        for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next)+        bool                 allow_list = 0;+        bool                 block_list = 0;+        struct SubnetList   *match = NULL;+        struct SubnetList   *sn;++        for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next) {+            // Check if there are black and/or whitelists+            if (sn->allow)+                allow_list = 1;+            else+                block_list = 1;             if((group & sn->subnet_mask) == sn->subnet_addr)-            {-                // The membership report was OK... Insert it into the route table..-                insertRoute(group, sourceVif->index, src);-                return;+                match = sn;+        }++        if((!allow_list && block_list &&+          (match == NULL || (match != NULL && match->allow ))) ||+          (allow_list && match != NULL && match->allow)) {

I'm clearly not seeing what you are seeing. Your guidiance is much appreciated.

After rewriting I come to the following

if((!allow_list && match == NULL) ||
  (allow_list && match != NULL && match->allow)

Does this makes sense?

bket

comment created time in 15 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 void acceptGroupReport(uint32_t src, uint32_t group) {         my_log(LOG_DEBUG, 0, "Should insert group %s (from: %s) to route table. Vif Ix : %d",             inetFmt(group,s1), inetFmt(src,s2), sourceVif->index); -        // If we don't have a whitelist we insertRoute and done+        // If we don't have a black- and whitelist we insertRoute and done         if(sourceVif->allowedgroups == NULL)         {             insertRoute(group, sourceVif->index, src);             return;         }+         // Check if this Request is legit on this interface-        struct SubnetList *sn;+        struct SubnetList   *match = NULL;+        struct SubnetList   *sn;+         for(sn = sourceVif->allowedgroups; sn != NULL; sn = sn->next)             if((group & sn->subnet_mask) == sn->subnet_addr)-            {-                // The membership report was OK... Insert it into the route table..-                insertRoute(group, sourceVif->index, src);-                return;+                match = sn;++        if(match == NULL || (match != NULL && match->allow == 1)) {+            // The membership report was OK... Insert it into the route table..+            insertRoute(group, sourceVif->index, src);

Yes, again you are correct. Guess I did not test enough. Issue seems solved now.

bket

comment created time in 15 days

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 struct vifconfig *parsePhyintToken(void) {                 my_log(LOG_WARNING, 0, "Unable to parse subnet address.");                 break;             } else {+                (*agrpPtr)->allow = 1;+                agrpPtr = &(*agrpPtr)->next;+            }+        }+        else if(strcmp("blacklist", token)==0) {+            // Blacklist+            token = nextConfigToken();+            my_log(LOG_DEBUG, 0, "Config: IF: Got blacklist token %s.", token);++            *agrpPtr = parseSubnetAddress(token);+            if(*agrpPtr == NULL) {+                parseError = 1;+                my_log(LOG_WARNING, 0, "Unable to parse subnet address.");

blacklist and whitelist now give an error when parsing fails.

bket

comment created time in 15 days

PullRequestReviewEvent

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 void my_log( int Serverity, int Errno, const char *FmtSt, ... ); struct SubnetList {     uint32_t            subnet_addr;     uint32_t            subnet_mask;+    unsigned short      allow;     struct SubnetList   *next; };

Forgot about allignment. Thanks!

allow has been moved and changed to bool,

bket

comment created time in 15 days

PullRequestReviewEvent

push eventbket/igmpproxy

Björn Ketelaars

commit sha 1ded72fc138b6b1c7d05149d11147ebce4cc2975

Complement phyint whitelist with blacklist Fixes: #54 Implement new phyint configuration option (blacklist), which enables blocking of specific traffic.

view details

push time in 15 days

PullRequestReviewEvent

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 phyint eth0 upstream  ratelimit 0  threshold 1   ##-------------------------------------------------------## Configuration for eth1 (Downstream Interface)+## Configuration for eth1 (Downstream Interface),+## blocking SSDP / UPnP traffic ##------------------------------------------------------ phyint eth1 downstream  ratelimit 0  threshold 1+        blacklist 239.255.255.250/32

Changes to the example config file have been reverted, and pushed.

bket

comment created time in 15 days

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 You may also specify whitelist entries for the upstream interface. Only igmp mem for explicitly whitelisted multicast groups will be sent out on the upstream interface. This is useful if you want to use multicast groups only between your downstream interfaces, like SSDP from a UPnP server.++This option can be combined with+.B blacklist+for fine-grained control.+.RE++.B blacklist+.I networkaddr+.RS+Defines a blacklist for multicast groups. Similar to+.B whitelist+except that if a blacklist entry is defined, all igmp membership reports for+that multicast group will be ignored.++Note that if whitelist and blacklist overlap, blacklist will take precedence.

Thanks for your feedback. Really helpful! I extended struct SubnetList and changed to last-rule-wins.

Changes have been pushed.

bket

comment created time in 15 days

PullRequestReviewEvent

push eventbket/igmpproxy

Björn Ketelaars

commit sha 0af4f8c399c0249c66d713def4541e75ca17a594

Complement phyint whitelist with blacklist Fixes: #54 Implement new phyint configuration option (blacklist), which enables blocking of specific traffic.

view details

push time in 15 days

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 phyint eth0 upstream  ratelimit 0  threshold 1   ##-------------------------------------------------------## Configuration for eth1 (Downstream Interface)+## Configuration for eth1 (Downstream Interface),+## blocking SSDP / UPnP traffic ##------------------------------------------------------ phyint eth1 downstream  ratelimit 0  threshold 1+        blacklist 239.255.255.250/32

I will revert this bit after discussion on the bahaviour of whitelist.

bket

comment created time in 16 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentpali/igmpproxy

Complement phyint whitelist with blacklist

 You may also specify whitelist entries for the upstream interface. Only igmp mem for explicitly whitelisted multicast groups will be sent out on the upstream interface. This is useful if you want to use multicast groups only between your downstream interfaces, like SSDP from a UPnP server.++This option can be combined with+.B blacklist+for fine-grained control.+.RE++.B blacklist+.I networkaddr+.RS+Defines a blacklist for multicast groups. Similar to+.B whitelist+except that if a blacklist entry is defined, all igmp membership reports for+that multicast group will be ignored.++Note that if whitelist and blacklist overlap, blacklist will take precedence.

This looks to be strange behavior. Specially if you have big blacklist and need to whitelist some particular address from it.

As it is, whitelist is currently doing two things: 1.) it ignores all igmp membership reports, 2.) except those whitelisted. blacklist does only one thing: it ignores blacklisted igmp membership reports. I chose to not only keep the behaviour of whitelist, but also make it independent from blacklist. Behaviour of whitelist can be changed, but we would risk breaking existing setups.

Why not rather to take standard policy that the last matched rule take effect? This can be more useful for different kind of configurations.

If I'm not mistaken this would mean that the behaviour of whitelist changes depending on if there is a blacklist rule. See above. Additionally, order of the rules is lost as whitelist and blacklist are stored in separate linked lists. For the 'last match rule' to work I need to either add an additional struct member (rule numer) to each list or put all rules in a single linked list and mark them (allow/block), and write additional checks. This would make the code more complex/fragile. My proposal is to maintaing the old behaviour of whitelist, and use blacklist to additionally ignore igmp membership reports. What do you think of the following change.

blacklist can be used to ignore additional igmp membership reports.

This needs to answer two additions questions:

Guess it makes sense to add the following to the manpage.

Overview on the use of whitelist and blacklist:

whitelist    blacklist     igmp membership reports
not used     not used      allow all
not used     used          allow all except those blacklisted
used         not used      block all except those whitelisted
used         used          block all except those whitelisted, and not blacklisted
bket

comment created time in 16 days

delete branch bket/igmpproxy

delete branch : filter

delete time in 16 days

PR closed pali/igmpproxy

Filter local multicast traffic (#54)

Implement new configuration option (filter), which enables filtering of traffic to a specified IP-address.

+57 -6

3 comments

5 changed files

bket

pr closed time in 16 days