From d30b3f666381fcfe993b15b7d2ad1f7f954ca229 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 9 Nov 2025 19:35:05 +0100 Subject: conntrackd: restrict multicast reception Bind the socket to the multicast address specified by {IPv4,IPv6}_address to discard unicast UDP packets and multicast traffic not coming to the dedicated interface. There is already code to restrict the interface but the socket was bound to any address. Without this patch, multicast sync messages can be received from any interface if your firewall policy does not restrict the interface used for sending and receiving them. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1819 Signed-off-by: Pablo Neira Ayuso --- src/mcast.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/mcast.c b/src/mcast.c index 4107d5d..912e762 100644 --- a/src/mcast.c +++ b/src/mcast.c @@ -49,23 +49,24 @@ struct mcast_sock *mcast_server_create(struct mcast_conf *conf) switch(conf->ipproto) { case AF_INET: mreq.ipv4.imr_multiaddr.s_addr = conf->in.inet_addr.s_addr; - mreq.ipv4.imr_interface.s_addr =conf->ifa.interface_addr.s_addr; + mreq.ipv4.imr_interface.s_addr = conf->ifa.interface_addr.s_addr; m->addr.ipv4.sin_family = AF_INET; m->addr.ipv4.sin_port = htons(conf->port); - m->addr.ipv4.sin_addr.s_addr = htonl(INADDR_ANY); + m->addr.ipv4.sin_addr.s_addr = conf->in.inet_addr.s_addr; - m->sockaddr_len = sizeof(struct sockaddr_in); + m->sockaddr_len = sizeof(struct sockaddr_in); break; case AF_INET6: memcpy(&mreq.ipv6.ipv6mr_multiaddr, &conf->in.inet_addr6, - sizeof(uint32_t) * 4); + sizeof(struct in6_addr)); mreq.ipv6.ipv6mr_interface = conf->ifa.interface_index6; m->addr.ipv6.sin6_family = AF_INET6; m->addr.ipv6.sin6_port = htons(conf->port); - m->addr.ipv6.sin6_addr = in6addr_any; + memcpy(&m->addr.ipv6.sin6_addr, &conf->in.inet_addr6, + sizeof(struct in6_addr)); m->sockaddr_len = sizeof(struct sockaddr_in6); break; -- cgit v1.2.3