Linux bridge / IGMP snooping - won't drop traffic

[megachips]

Usually people have issues with IGMP snooping dropping multicast - however I have the opposite, the bridge doesn't seem to drop traffic like it should.

This used to work fine for me, I could disable / enable snooping on the bridge and it would drop / forward frames as required.

Essentially, I'm writing some multicast libraries, and I want to test things to make sure I'm handling them correctly when multicast is being dropped by the bridge.

In order to do that, I've disabled my IGMP querier.

Here is the bridge with two ports:

root@gruntbox:~# brctl show vmbr2

bridge name bridge id       STP enabled interfaces

vmbr2       8000.ee4978cb3966   no      tap109i0

                                        tap110i0

I then check the bridge to make sure that the target bridge (vmbr2) doesn't have router ports and the subscribed multicast groups have timed out

*Note vmbr1 is a seperate bridge and different from this test*

root@gruntbox:~# bridge -d -s mdb show
dev vmbr0 port tap100i0 grp 239.255.255.250 temp proto kernel   230.16
router ports on vmbr0: tap101i0  213.96 temp

Make sure snooping is enabled:

root@gruntbox:~# cat /sys/class/net/vmbr2/bridge/multicast_snooping
1

Then on the client machine I run upnpc to test SSDP.

davew@salad:~$ upnpc -S
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.44.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.44.1:2189/ctl/IPConn
Local LAN ip address : 192.168.44.10
FirewallEnabled: 0 & Inbound Pinhole Allowed: 0
GetFirewallStatus:
   Firewall Enabled: No
   Inbound Pinhole Allowed: No
Bytes:   Sent: 60121207 Recv: 61155274
Packets: Sent:   206651 Recv:   209053

and here is the frame being forwarded when it shouldn't:

root@OPNonsense:~ # tcpdump -nn -i vtnet0 host 239.255.255.250
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:18:56.773995 IP 192.168.44.10.57043 > 239.255.255.250.1900: UDP, length 137

This should not work - the bridge should be snooping this and dropping the frame.

I've updated to the latest Proxmox 7 and still get the same issue.

root@gruntbox:~# uname -a
Linux gruntbox 5.15.131-2-pve #1 SMP PVE 5.15.131-3 (2023-12-01T13:42Z) x86_64 GNU/Linux

I've also tried deleted and recreating the bridge.

How can I debug this further and get this working again?

Ps - here is the full bridge config

root@gruntbox:~# ip -j -p -d link show vmbr2
[ {
        "ifindex": 6,
        "ifname": "vmbr2",
        "flags": [ "BROADCAST","MULTICAST","UP","LOWER_UP" ],
        "mtu": 1500,
        "qdisc": "noqueue",
        "operstate": "UP",
        "linkmode": "DEFAULT",
        "group": "default",
        "txqlen": 1000,
        "link_type": "ether",
        "address": "ee:49:78:cb:39:66",
        "broadcast": "ff:ff:ff:ff:ff:ff",
        "promiscuity": 0,
        "min_mtu": 68,
        "max_mtu": 65535,
        "linkinfo": {
            "info_kind": "bridge",
            "info_data": {
                "forward_delay": 0,
                "hello_time": 200,
                "max_age": 2000,
                "ageing_time": 30000,
                "stp_state": 0,
                "priority": 32768,
                "vlan_filtering": 0,
                "vlan_protocol": "802.1Q",
                "bridge_id": "8000.ee:49:78:cb:39:66",
                "root_id": "8000.ee:49:78:cb:39:66",
                "root_port": 0,
                "root_path_cost": 0,
                "topology_change": 0,
                "topology_change_detected": 0,
                "hello_timer": 0.00,
                "tcn_timer": 0.00,
                "topology_change_timer": 0.00,
                "gc_timer": 103.08,
                "vlan_default_pvid": 1,
                "vlan_stats_enabled": 0,
                "vlan_stats_per_port": 0,
                "group_fwd_mask": "0",
                "group_addr": "01:80:c2:00:00:00",
                "mcast_snooping": 1,
                "mcast_router": 1,
                "mcast_query_use_ifaddr": 0,
                "mcast_querier": 0,
                "mcast_hash_elasticity": 16,
                "mcast_hash_max": 512,
                "mcast_last_member_cnt": 2,
                "mcast_startup_query_cnt": 2,
                "mcast_last_member_intvl": 100,
                "mcast_membership_intvl": 26000,
                "mcast_querier_intvl": 25500,
                "mcast_query_intvl": 12500,
                "mcast_query_response_intvl": 1000,
                "mcast_startup_query_intvl": 3124,
                "mcast_stats_enabled": 0,
                "mcast_igmp_version": 2,
                "mcast_mld_version": 1,
                "nf_call_iptables": 0,
                "nf_call_ip6tables": 0,
                "nf_call_arptables": 0
            }
        },
        "inet6_addr_gen_mode": "eui64",
        "num_tx_queues": 1,
        "num_rx_queues": 1,
        "gso_max_size": 65536,
        "gso_max_segs": 65535
    } ]

 

[spirit]

do you have an igmp querier on this vmbr2 network ?

if not, you can enable a querier on vmbr2 with "echo 1 > /sys/class/net/vmbr2/bridge/multicast_querier"

 

[megachips]

do you have an igmp querier on this vmbr2 network ?

if not, you can enable a querier on vmbr2 with "echo 1 > /sys/class/net/vmbr2/bridge/multicast_querier"

I specifically turned the querier off. I want the bridge to drop traffic - which it is not doing. For some reason the bridge is forwarding all multicast to all ports, even with snooping enabled.

 

[spirit]

I specifically turned the querier off. I want the bridge to drop traffic - which it is not doing. For some reason the bridge is forwarding all multicast to all ports, even with snooping enabled.

you need an igmp querier to have igmp snooping working.

default is open flood, until a igmp query is receive by nodes ips and an igmp response are sent to switch (then the bridge can create igmp group)

 

[megachips]

you need an igmp querier to have igmp snooping working.

default is open flood, until a igmp query is receive by nodes ips and an igmp response are sent to switch (then the bridge can create igmp group)

You've really blown my mind here. I wasn't aware that the membership query is what triggers snooping. I thought it was the membership report - i.e. the multicast join.

I'll have to do some testing! Thanks for the insight, will report back

 

[megachips]

Just want to make sure I understand this right. So if a switch receives a multicast frame and it doesn't have this group in the mdb, it will open flood the frame? (I was of the understand it would drop the frame)

Then, if one port subscribes to a group and this gets added to the mdb, when the switch receives a frame for this group... it will then only forward it to the single port?

 

[megachips]

For anyone else coming here - I've tested the above and confirmed that's partly how it works.

A linux bridge even with snooping enabled will open flood if there are no router ports showing in the mdb for the bridge, even if multicast groups have been subscribed to. As soon as a router port shows up for that bridge (an end device sent an IGMP query) it will start snooping and only forward to subscribed members.