igmp option 148 (RA)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

igmp option 148 (RA)

Kapetanakis Giannis
Hi,

I'm constantly seeing this on my pf router.
rule 61/(ip-option) pass in on $ext_if: $ext_gw > 224.0.0.1: igmp query
[tos 0xc0] [ttl 1]

Rule 61 is:
@61 pass quick inet proto igmp from $ext_if:network to 224.0.0.1 keep
state (no-sync)

tcpdump on $ext_if shows:
$ext_gw > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] (id 59056, len 32,
optlen=4 IPOPT-148{4})

I guess pf has a problem with ip-option 148 which is router alert (rfc2113)
Is this normal? Why does it think it's bad?

Ext gateway is cisco (no under my control) which apparently is sending
this option.

G

Reply | Threaded
Open this post in threaded view
|

Re: igmp option 148 (RA)

Stefan Sperling-5
On Thu, Jan 21, 2016 at 12:27:06PM +0200, Kapetanakis Giannis wrote:

> Hi,
>
> I'm constantly seeing this on my pf router.
> rule 61/(ip-option) pass in on $ext_if: $ext_gw > 224.0.0.1: igmp query [tos
> 0xc0] [ttl 1]
>
> Rule 61 is:
> @61 pass quick inet proto igmp from $ext_if:network to 224.0.0.1 keep state
> (no-sync)
>
> tcpdump on $ext_if shows:
> $ext_gw > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] (id 59056, len 32,
> optlen=4 IPOPT-148{4})
>
> I guess pf has a problem with ip-option 148 which is router alert (rfc2113)
> Is this normal? Why does it think it's bad?
>
> Ext gateway is cisco (no under my control) which apparently is sending this
> option.
>
> G

Multicast traffic is black-holed by default.
You may want to set multicast_host=Yes in /etc/rc.conf.local.
See the MULTICAST ROUTING section in the netstart(8) man page.

Reply | Threaded
Open this post in threaded view
|

Re: igmp option 148 (RA)

Kapetanakis Giannis
On 21/01/16 12:40, Stefan Sperling wrote:

> On Thu, Jan 21, 2016 at 12:27:06PM +0200, Kapetanakis Giannis wrote:
>> Hi,
>>
>> I'm constantly seeing this on my pf router.
>> rule 61/(ip-option) pass in on $ext_if: $ext_gw > 224.0.0.1: igmp query [tos
>> 0xc0] [ttl 1]
>>
>> Rule 61 is:
>> @61 pass quick inet proto igmp from $ext_if:network to 224.0.0.1 keep state
>> (no-sync)
>>
>> tcpdump on $ext_if shows:
>> $ext_gw > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] (id 59056, len 32,
>> optlen=4 IPOPT-148{4})
>>
>> I guess pf has a problem with ip-option 148 which is router alert (rfc2113)
>> Is this normal? Why does it think it's bad?
>>
>> Ext gateway is cisco (no under my control) which apparently is sending this
>> option.
>>
>> G
> Multicast traffic is black-holed by default.
> You may want to set multicast_host=Yes in /etc/rc.conf.local.
> See the MULTICAST ROUTING section in the netstart(8) man page.
>

I 've tried multicast=YES and manually removing the -reject rule
as in /etc/netstart (route -qn delete 224.0.0.0/4)

but nothing changed

multicast_host seems deprecated. I can't find any entry for this in
/etc/rc /etc/rc.conf or /etc/netstart
Anyway I don't think this is the problem since the reject route probably
has nothing to do with pf deciding it's a bad ip option.

thanx for reply

G

Reply | Threaded
Open this post in threaded view
|

Re: igmp option 148 (RA)

Jonathan Gray-11
In reply to this post by Stefan Sperling-5
On Thu, Jan 21, 2016 at 11:40:41AM +0100, Stefan Sperling wrote:

> On Thu, Jan 21, 2016 at 12:27:06PM +0200, Kapetanakis Giannis wrote:
> > Hi,
> >
> > I'm constantly seeing this on my pf router.
> > rule 61/(ip-option) pass in on $ext_if: $ext_gw > 224.0.0.1: igmp query [tos
> > 0xc0] [ttl 1]
> >
> > Rule 61 is:
> > @61 pass quick inet proto igmp from $ext_if:network to 224.0.0.1 keep state
> > (no-sync)
> >
> > tcpdump on $ext_if shows:
> > $ext_gw > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] (id 59056, len 32,
> > optlen=4 IPOPT-148{4})
> >
> > I guess pf has a problem with ip-option 148 which is router alert (rfc2113)
> > Is this normal? Why does it think it's bad?
> >
> > Ext gateway is cisco (no under my control) which apparently is sending this
> > option.
> >
> > G
>
> Multicast traffic is black-holed by default.
> You may want to set multicast_host=Yes in /etc/rc.conf.local.
> See the MULTICAST ROUTING section in the netstart(8) man page.
>

Note that it is just "multicast" with snapshots and >= 5.9
http://www.openbsd.org/faq/current.html#20151205

Reply | Threaded
Open this post in threaded view
|

Re: igmp option 148 (RA)

Stuart Henderson
In reply to this post by Kapetanakis Giannis
On 2016-01-21, Kapetanakis Giannis <[hidden email]> wrote:

> Hi,
>
> I'm constantly seeing this on my pf router.
> rule 61/(ip-option) pass in on $ext_if: $ext_gw > 224.0.0.1: igmp query
> [tos 0xc0] [ttl 1]
>
> Rule 61 is:
> @61 pass quick inet proto igmp from $ext_if:network to 224.0.0.1 keep
> state (no-sync)
>
> tcpdump on $ext_if shows:
> $ext_gw > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] (id 59056, len 32,
> optlen=4 IPOPT-148{4})
>
> I guess pf has a problem with ip-option 148 which is router alert (rfc2113)
> Is this normal? Why does it think it's bad?
>
> Ext gateway is cisco (no under my control) which apparently is sending
> this option.
>
> G
>
>

See pf.conf(5) "allow-opts".

Reply | Threaded
Open this post in threaded view
|

Re: igmp option 148 (RA)

Kapetanakis Giannis
On 21/01/16 13:15, Stuart Henderson wrote:
> See pf.conf(5) "allow-opts".

thanx Stuart :)
that did the trick

G