SSDP filter is too loose? Generates too many warnings

[sweharris]

I'm trying to run this on my Rocky 9 router. enp2s0 is WAN (internet), enp3s0 is "internal".

In my setup enp3s0 has VLANs 10 ("LAN"; 10.0.0.1/24), 11 ("guest";10.100.100.1/24), 12 ("IoT";10.100.200.1/24).

This machine also runs DNS and DHCP servers.

And when I run it I get lots of "Got a packet that is not a SSDP query, response or advertisement"

Looking at the packet filter (line 34, ssdp.go)

not (ether src %s)
and vlan
and udp
and (
  (dst net (239.255.255.250 or ff02::c or ff05::c or ff08::c) and dst port 1900)
     or
  (ether dst %s and not port 5353)
)

It's that final OR clause that appears to be catching too many packets.

For example, any DNS packet sent to this machine will be caught.

But it will also catch UDP packets traversing the router from internal to WAN because the dst MAC of the packet will be that of the router, such as:

WARN[0007] Got a packet that is not a SSDP query, response or advertisement:
PACKET: 501 bytes, wire length 501 cap length 501 @ 2025-09-04 10:03:11.960925 -0400 EDT
- Layer 1 (14 bytes) = Ethernet {Contents=[..14..] Payload=[..487..] SrcMAC=XXXX DstMAC=ROUTER_MAC EthernetType=Dot1Q Length=0}
- Layer 2 (04 bytes) = Dot1Q    {Contents=[0, 10, 8, 0] Payload=[..483..] Priority=0 DropEligible=false VLANIdentifier=10 Type=IPv4}
- Layer 3 (20 bytes) = IPv4     {Contents=[..20..] Payload=[..463..] Version=4 IHL=5 TOS=0 Length=483 Id=7832 Flags=DF FragOffset=0 TTL=64 Protocol=UDP Checksum=15321 SrcIP=10.0.0.37 DstIP=23.23.189.93 Options=[] Padding=[]}
- Layer 4 (08 bytes) = UDP      {Contents=[..8..] Payload=[..455..] SrcPort=37492 DstPort=33434(traceroute) Length=463 Checksum=34881}
- Layer 5 (455 bytes) = Payload 455 byte(s)

That's an Amazon Echo device talking to Amazon on UDP.

Is there a reason for that final OR clause? What packets is it trying to capture? I'm guessing "response packets", but I'm just guessing :-)

If there is a good reason to capture these packets then I think the warning message should be dropped or made stricter; maybe only log these warnings in verbose mode?

[nberlee]

For example, any DNS packet sent to this machine will be caught.

Ok, this is not going to work as it was not the intention. And yes your conclusion is correct. The solution is simple.

I am assuming that:

• Your mentioned IP address is configured on the host
• You are running bonjour-reflector as a daemon on this host or as a container in Hostnetwork mode

The problem is, bonjour-reflector code assumes that the mac address is unique in the tagged vlan. In your case its shared. So yes the last or statement is too big, but its not easy to narrow it because its needed for SSDP responses.

The solution is here:

• use a unique ip address by using a different network adapter. Either by a physical one, or a virtual one in a bridge.
• or change the mac address of the vlaninterface on your host (not sure if this is possible)