From patchwork Thu May 14 09:52:08 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marco Baffo <marco@mandelbit.com>
X-Patchwork-Id: 4942
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:a719:b0:84a:48f:a1fd with SMTP id
 hl25csp3721127mab;
        Thu, 14 May 2026 02:52:35 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AFNElJ/CTB3EfHVW5PO8ChWtNNEWx+TUHDl0st4L/MBh7oVM3uxam4r8+9VOSeRfSVcV+SvC/cN7dtOANlM=@openvpn.net
X-Received: by 2002:a05:6808:2e48:b0:479:d605:64a0 with SMTP id
 5614622812f47-482b23c3deamr4610770b6e.0.1778752355785;
        Thu, 14 May 2026 02:52:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1778752355; cv=none;
        d=google.com; s=arc-20240605;
        b=Ov6dAAo4VVUKGGqEIxPh7aZvw3Jqoebz6+onddxpfW6Ym6Phfvwo+0I3TGyD/IcXYQ
         2y7BYVXar2QftSNW2fY2RfXcgF5B3VYS7HxeHgHojotwunfKdslGzF+A443c0qvZAE0b
         VDcLxCIyTJfI07a9iudazNc5lUAPKB94udxt47ma+skuSOtaKbZtEm9z2XBpo78GDSmk
         JLreNGqo+LeOyVtLMv3Z64KJAhqb2tQH1devbp+GoocIjMk0R1Uj4eczgFkUjoX0j10W
         CblYuyev+/6/IiLF8NBYc6qrpVJLsPtUP4SG1tRhDBhrmUv889Mst47SPLa9/svQ46dx
         bRjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature:dkim-signature;
        bh=N29w3QYbrhlVBhS/5hySSvE9RFz1mDjFTKgZiT/1dIg=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=Th9p5RRq2tuW2GJJ7gxYpEVk2W/Vs8E97KD4z6Jisg8oOTS35x6d7AaDqzrChtU29z
         YRPwofXwNNN/3Y4vMGrorzW6tz2RUl/eLJpJoHK9pUMdWJQQeTU0TUFOdbKaB/uz8jkH
         r15qvCXAgj6CowIXFEdaG1Y6Ob6pc0fdRIymuskVsSRxdaiSC2VVvWCOWiZE7v45lTE4
         b1RZ1uak1KFtsdjhZTx61rmI5yjf1lf6344OBkcG/dxiQ/Fc6n8A0FCC7ek6FMPzV7eL
         J+KFEjnxhILtmXDCNiVRio45dk1gngKh/RD6Z+4ww/pWahgj+MUtrC9daeqcLEoUOcwP
         1lTQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=IkGqd4sa;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=CwaNOh3h;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=TnJNbMsU;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=MBO0001 header.b=dOcQ9YWU;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 5614622812f47-482d3df8399si942429b6e.114.2026.05.14.02.52.35
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 14 May 2026 02:52:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=IkGqd4sa;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=CwaNOh3h;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=TnJNbMsU;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=MBO0001 header.b=dOcQ9YWU;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=N29w3QYbrhlVBhS/5hySSvE9RFz1mDjFTKgZiT/1dIg=; b=IkGqd4sadf9boXUCOWkRZIMGXu
	lw9518mFD9TkbF/PvGD9zBZDK/u/EJotwnmrGLTMvPuHbEoT1edj/nLPptHcXc66t2xKpshz5hiZA
	sr5q6zSMK/yioichs9eHGET2h2QLcyP10rMAcl7nksX3PFCYZbh+9WoFKaPRojdGWBnc=;
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1wNSk3-0001el-GG;
	Thu, 14 May 2026 09:52:32 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <marco@mandelbit.com>) id 1wNSk0-0001eP-3H
 for openvpn-devel@lists.sourceforge.net;
 Thu, 14 May 2026 09:52:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=P7cGHdZcQ2cb3dm/1mwoHgGW2CiTsiZ51s+HG70/cF0=; b=CwaNOh3hsIdwFezhJpcd3rQO7Z
 wPuz7Iu3rA9YlODzSHcqKRYUtZr2JNhft2jDow7m6YWvZPMmh/2btDeS4eLh6Y4ez8tYXwazpcVRd
 fQSVEA8lQQbFi/ecd46GmvNgmDEKCEDT0WKAdjDExmdRDnYjLBhZbXLAj2JPjAaSni2U=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=P7cGHdZcQ2cb3dm/1mwoHgGW2CiTsiZ51s+HG70/cF0=; b=TnJNbMsU6IFuwDW5SjQiIJvkX7
 jveREUdQDtUCPfy9VkY904xZNW1InYYpjYHKpUpEWaMchOcGTVdMRn6cQdiG/kqTo1Hpp6HmnuE+I
 9DnH87mp2VD50fWdgEaJmX7Cc8qzY8OPKPr1vrVlylkRUXmSMWyj2AFH3THlnHjJaxzU=;
Received: from mout-b-107.mailbox.org ([195.10.208.47])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1wNSjy-0004To-NH for openvpn-devel@lists.sourceforge.net;
 Thu, 14 May 2026 09:52:28 +0000
Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mout-b-107.mailbox.org (Postfix) with ESMTPS id 4gGQbg5hnbzDs2B;
 Thu, 14 May 2026 11:52:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com;
 s=MBO0001; t=1778752335;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=P7cGHdZcQ2cb3dm/1mwoHgGW2CiTsiZ51s+HG70/cF0=;
 b=dOcQ9YWUu4jD0Z/ysOGxItyNNWyMH2mpLsp3BRQ6cfZYePIMeEqPcRag3q3IhCtjsNjwwR
 F+FMe5kQc1tMq82mhIqVPAtpnApkPcaVd0jHkdl7VeSuGlK1GWH6rUuJtKmxqhrWsibZ9w
 KTH5eQk6RWEdNfcTFKHbmPGbFqClJhO1Fh6T4nivCDG6j17vJ2pt19mUt1JQ6n1lbdjWwz
 WAP+7jksUefyXWdUoSK3WnezYOJwmqZqPEJinPmJY3vIL7qXpZ9OycQveGrDYflZVaLP71
 igJiZKdreMdPifGxbR2AsoUsNlTz1aNME8onMV70gYlJBZS3oAABZgBD6a3Hjg==
From: Marco Baffo <marco@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Thu, 14 May 2026 11:52:08 +0200
Message-ID: <20260514095210.288979-3-marco@mandelbit.com>
In-Reply-To: <20260514095210.288979-1-marco@mandelbit.com>
References: <20260514095210.288979-1-marco@mandelbit.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  When the Ovpn server receive a multicast data packet that
 has to be trasmitted to the peers, if its IP destination is a multicast group
 to which no peer is currently subscribed, the packet is dropped [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [195.10.208.47 listed in wl.mailspike.net]
X-Headers-End: 1wNSjy-0004To-NH
Subject: [Openvpn-devel] [RFC ovpn net-next 3/5] ovpn: filter incoming
 multicast data packets
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1865157029929791097?=
X-GMAIL-MSGID: =?utf-8?q?1865157029929791097?=

When the Ovpn server receive a multicast data packet that
has to be trasmitted to the peers, if its IP destination
is a multicast group to which no peer is currently subscribed,
the packet is dropped instead of being broadcasted.
Multicast control messages (IGMP/MLD) are still broadcasted
to all peers.

Signed-off-by: Marco Baffo <marco@mandelbit.com>
---
 drivers/net/ovpn/mcast.c | 41 ++++++++++++++++++++++++++++++++++++++--
 drivers/net/ovpn/mcast.h |  1 +
 drivers/net/ovpn/peer.c  |  7 +++++--
 3 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ovpn/mcast.c b/drivers/net/ovpn/mcast.c
index c90ef2b8d8b8..59b0b62afcde 100644
--- a/drivers/net/ovpn/mcast.c
+++ b/drivers/net/ovpn/mcast.c
@@ -358,12 +358,49 @@ bool ovpn_mcast_snoop_skb(struct ovpn_peer *peer, struct sk_buff *skb)
 {
 	if (peer->ovpn->mode != OVPN_MODE_MP)
 		return false;
+
 	if (skb->protocol == htons(ETH_P_IP)) {
 		if (ip_hdr(skb)->protocol == IPPROTO_IGMP)
 			return ovpn_mcast_snoop_igmp(peer, skb);
 	} else if (skb->protocol == htons(ETH_P_IPV6)) {
-		if (ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6)
-			return ovpn_mcast_snoop_mld(peer, skb);
+		return ovpn_mcast_snoop_mld(peer, skb);
+	}
+
+	return false;
+}
+
+/**
+ * ovpn_mcast_is_control - determine whether an skb is multicast control traffic
+ * @skb: the packet to inspect
+ *
+ * Return: true if the skb contains IGMP or MLD control traffic,
+ *         false otherwise
+ */
+bool ovpn_mcast_is_control(struct sk_buff *skb)
+{
+	unsigned int offset;
+	struct icmp6hdr *ih;
+
+	if (skb->protocol == htons(ETH_P_IP))
+		return ip_hdr(skb)->protocol == IPPROTO_IGMP;
+
+	if (skb->protocol != htons(ETH_P_IPV6))
+		return false;
+
+	if (!ovpn_mcast_mld_offset(skb, &offset))
+		return false;
+
+	if (!pskb_may_pull(skb, offset + sizeof(*ih)))
+		return false;
+
+	ih = (struct icmp6hdr *)(skb_network_header(skb) + offset);
+	switch (ih->icmp6_type) {
+	case ICMPV6_MGM_QUERY:
+	case ICMPV6_MGM_REPORT:
+	case ICMPV6_MGM_REDUCTION:
+	case ICMPV6_MLD2_REPORT:
+		return true;
 	}
+
 	return false;
 }
diff --git a/drivers/net/ovpn/mcast.h b/drivers/net/ovpn/mcast.h
index e9e14d807270..9e06e893a355 100644
--- a/drivers/net/ovpn/mcast.h
+++ b/drivers/net/ovpn/mcast.h
@@ -22,6 +22,7 @@ void ovpn_mcast_leave_all(struct ovpn_peer *peer);
 bool ovpn_peer_list_get_by_mcast_group(struct ovpn_priv *ovpn,
 				       const struct in6_addr *group_addr,
 				       struct llist_head *list);
+bool ovpn_mcast_is_control(struct sk_buff *skb);
 bool ovpn_mcast_snoop_skb(struct ovpn_peer *peer, struct sk_buff *skb);
 
 #endif /* _NET_OVPN_MCAST_H_ */
diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index 5159a8f9dfba..a9728a157210 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -779,8 +779,10 @@ void ovpn_peer_list_get_by_dst(struct ovpn_priv *ovpn, struct sk_buff *skb,
 		addr_type = inet_dev_addr_type(dev_net(ovpn->dev), ovpn->dev, addr4);
 		if (addr_type == RTN_MULTICAST) {
 			ipv6_addr_set_v4mapped(addr4, &addr6);
-			if (!ovpn_peer_list_get_by_mcast_group(ovpn, &addr6, list))
+			if (!ovpn_peer_list_get_by_mcast_group(ovpn, &addr6, list) &&
+			    ovpn_mcast_is_control(skb)) {
 				ovpn_peer_list_get_all(ovpn, list);
+			}
 		} else if (addr_type == RTN_BROADCAST) {
 			ovpn_peer_list_get_all(ovpn, list);
 		}
@@ -795,7 +797,8 @@ void ovpn_peer_list_get_by_dst(struct ovpn_priv *ovpn, struct sk_buff *skb,
 
 		rcu_read_unlock();
 		if (ipv6_addr_is_multicast(&addr6) &&
-		    !ovpn_peer_list_get_by_mcast_group(ovpn, &addr6, list)) {
+		    !ovpn_peer_list_get_by_mcast_group(ovpn, &addr6, list) &&
+		    ovpn_mcast_is_control(skb)) {
 			ovpn_peer_list_get_all(ovpn, list);
 		}
 		return;