Bug 520127 - pkttype filtering on multicast not working with OUTPUT chain
Summary: pkttype filtering on multicast not working with OUTPUT chain
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iptables
Version: 5.3
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Thomas Woerner
QA Contact: qe-baseos-daemons
Depends On:
TreeView+ depends on / blocked
Reported: 2009-08-28 14:29 UTC by Brenton Leanhardt
Modified: 2014-10-14 12:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-02 13:19:55 UTC

Attachments (Terms of Use)

Description Brenton Leanhardt 2009-08-28 14:29:03 UTC
Description of problem:
I have two machines in a JBoss cluster that communicate via multicast.  I want to temporarily take one out of rotation with the following rules:

/sbin/iptables -A INPUT -m pkttype --pkt-type multicast -j DROP
/sbin/iptables -A OUTPUT -m pkttype --pkt-type multicast -j DROP

The rule for the INPUT chain works.  The rule on the OUTPUT chain still allows multicast packets to leave the system.  I tried setting it to log and it does not work either.

Version-Release number of selected component (if applicable):

How reproducible:
I am using the following scripts to send multicast packets between the two systems:

(taken from http://onestepback.org/index.cgi/Tech/Ruby/MulticastingInRuby.red)

require 'socket'

PORT= 5000

  socket = UDPSocket.open
  socket.setsockopt(Socket::IPPROTO_IP, Socket::IP_TTL, [1].pack('i'))
  socket.send(ARGV.join(' '), 0, MULTICAST_ADDR, PORT)

require 'socket'
require 'ipaddr'

PORT = 5000

ip =  IPAddr.new(MULTICAST_ADDR).hton + IPAddr.new("").hton

sock = UDPSocket.new
sock.setsockopt(Socket::IPPROTO_IP, Socket::IP_ADD_MEMBERSHIP, ip)
sock.bind(Socket::INADDR_ANY, PORT)

loop do
  msg, info = sock.recvfrom(1024)
  puts "MSG: #{msg} from #{info[2]} (#{info[3]})/#{info[1]} len #{msg.size}" 

Steps to Reproduce:
1. service iptables stop (on both systems)
2. Add the two pkttype firewall rules to one of the systems
3. run receive.rb on one system
4. run send.rb on the other
Actual results:
The packets are sent and received just fine.  If I add the rules to the other system the inbound packets will be dropped as expected.

Expected results:
EPERM should be returned to the script when the kernel drops the outbound packets.  The other system should not receive the multicast packet

Additional info:

To workaround this issue I am using:

/sbin/iptables -A CLUSTER_IN -d -j DROP
/sbin/iptables -A CLUSTER_OUT -d -j DROP

Comment 1 Quentin Armitage 2012-07-16 10:03:52 UTC
The pkttype match is a match on the link level (i.e. MAC) address type, see man iptables output:
       This module matches the link-layer packet type.

For outbound packets, the link layer (and hence MAC address) haven't been constructed when the packet is in netfilter (to see this, log an inbound packet and also an outbound packet and see that there is no MAC= output for the outbound packet, whereas there is for the inbound packet).

The output of:
# iptables -m pkttype --help
pkttype match options:
[!] --pkt-type packettype    match packet type
Valid packet types:
	unicast       		to us
	broadcast     		to all
	multicast     		to group

Although not explicitly stated, in can be deduced from the unicast line that it is for inbound packets.

To match on address type for outbound packets, use the addrtype match, i.e.
-m addrtype --dst-type MULTICAST

This can also be used for inbound packets with -m addrtype --src-type MULTICAST.

The addrtype match appears to allow more control in general than the pkttype match.

So in your case you could have:
/sbin/iptables -A CLUSTER_IN -m addrtype --dst-type MULTICAST -j DROP
/sbin/iptables -A CLUSTER_OUT -m addrtype --src-type MULTICAST -j DROP

Comment 2 Quentin Armitage 2012-07-16 10:11:30 UTC
Apologies, there is an error in the final examples above. They should read:
/sbin/iptables -A CLUSTER_IN -m addrtype --dst-type MULTICAST -j DROP
/sbin/iptables -A CLUSTER_OUT -m addrtype --dst-type MULTICAST -j DROP

i.e. look at the dst-type for both inbound and outbound.

Comment 3 RHEL Product and Program Management 2014-03-07 12:50:14 UTC
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.

Comment 4 RHEL Product and Program Management 2014-06-02 13:19:55 UTC
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).

Note You need to log in before you can comment on or make changes to this bug.