Smcroute stats PRIOR to firewall kick-in?

Dear all,

in my OpenWrt main router smcroute stats I'm seeing multicast packages arriving from my WAN router connection that I would expect to be blocked by the main router firewall.

I presume this is because smcroute is not a routing proxy by itself, but is rather orchestrating the kernel multicast routing capabilities, with the smcroute packet count statistics reflecting the kernel knowledge about arriving packets prior to entering the firewall machinery?

I'm also observing that the multicast routing between firewall zones managed by smcroute is being controlled by the firewall "zone forwarding" settings, and NOT the INPUT setting of the source plus the OUTPUT setting of the destination zone, which fits the assumption above that the routed multicast packets are not considered to enter the router device IP stack itself and then leave it again (which would be the case if smcroute would act as a multicast proxy).

Can you experts confirm that my assumptions are correct?

Kind regards,
Sebastian

No one?

Kind regards,
Sebastian

2 Likes

I think it's difficult for people to extrapolate the exact point your making here... providing pasted console output of tcpdumps/iptables-save -c/uci show/ps w/startup order/etc at various stages to highlight your point will likely facilitate adequate response

2 Likes

Smcroute puts multicast routes into the kernel multicast routing tables and then the firewall forward rules are the ones that matter. That's correct as far as I know

2 Likes