conntrackd: restrict multicast reception

Bind the socket to the multicast address specified by {IPv4,IPv6}_address
to discard unicast UDP packets and multicast traffic not coming to the
dedicated interface. There is already code to restrict the interface
but the socket was bound to any address.

Without this patch, multicast sync messages can be received from any
interface if your firewall policy does not restrict the interface used
for sending and receiving them.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1819
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 6 insertions, 5 deletions

diff --git a/src/mcast.c b/src/mcast.c
index 4107d5d..912e762 100644
--- a/src/mcast.c
+++ b/src/mcast.c
@@ -49,23 +49,24 @@ struct mcast_sock *mcast_server_create(struct mcast_conf *conf)
 	switch(conf->ipproto) {
 	case AF_INET:
 		mreq.ipv4.imr_multiaddr.s_addr = conf->in.inet_addr.s_addr;
-		mreq.ipv4.imr_interface.s_addr =conf->ifa.interface_addr.s_addr;
+		mreq.ipv4.imr_interface.s_addr = conf->ifa.interface_addr.s_addr;
 
 	        m->addr.ipv4.sin_family = AF_INET;
 	        m->addr.ipv4.sin_port = htons(conf->port);
-	        m->addr.ipv4.sin_addr.s_addr = htonl(INADDR_ANY);
+	        m->addr.ipv4.sin_addr.s_addr = conf->in.inet_addr.s_addr;
 
-		m->sockaddr_len = sizeof(struct sockaddr_in); 
+		m->sockaddr_len = sizeof(struct sockaddr_in);
 		break;
 
 	case AF_INET6:
 		memcpy(&mreq.ipv6.ipv6mr_multiaddr, &conf->in.inet_addr6,
-		       sizeof(uint32_t) * 4);
+		       sizeof(struct in6_addr));
 		mreq.ipv6.ipv6mr_interface = conf->ifa.interface_index6;
 
 		m->addr.ipv6.sin6_family = AF_INET6;
 		m->addr.ipv6.sin6_port = htons(conf->port);
-		m->addr.ipv6.sin6_addr = in6addr_any;
+		memcpy(&m->addr.ipv6.sin6_addr, &conf->in.inet_addr6,
+		       sizeof(struct in6_addr));
 
 		m->sockaddr_len = sizeof(struct sockaddr_in6);
 		break;