mDNS helper fails to add expectations if host joined 224.0.0.251 multicast group

mDNS helper fails to add expectations if host joined 224.0.0.251 multicast group

[Andrei Borzenkov]

Please Cc me on reply, I am not subscribed to this list.

This is result of troubleshooting of user question "why my printer
management application fails to discover printer via mDNS".

Let's start with no firewall to make sure mDNS works.

bor@tw:~> dig -p 5353 @224.0.0.251 leap15.local +short
169.254.1.76
bor@tw:~>

Start firewall and verify that mDNS stops working

tw:/home/bor # systemctl start firewalld.service
tw:/home/bor # dig -p 5353 @224.0.0.251 leap15.local +short

; <<>> DiG 9.16.4 <<>> -p 5353 @224.0.0.251 leap15.local +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
tw:/home/bor #

Configure mDNS helper (rules for related packets are already default in
firewalld):

w:/home/bor # nfct add helper mdns inet udp
tw:/home/bor # systemctl start conntrackd.service
tw:/home/bor # nfct list helper
{
	.name = mdns,
	.queuenum = 6,
	.l3protonum = 2,
	.l4protonum = 17,
	.priv_data_len = 0,
	.status = enabled,
};
tw:/home/bor # iptables -t raw -A OUTPUT -m addrtype --dst-type
MULTICAST -p udp --dport 5353 -j CT --helper mdns
tw:/home/bor #

Let's try resolving again

bor@tw:~> dig -p 5353 @224.0.0.251 leap15.local +short
169.254.1.76
bor@tw:~>

And expectations are correctly added

tw:/home/bor # conntrack -E expect
    [NEW] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=38407 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=38407 dport=5353
PERMANENT class=0 helper=mdns
^Cconntrack v1.4.6 (conntrack-tools): 1 expectation events have been shown.
tw:/home/bor #

Now try registering interface for mDNS multicast group (exactly what
Avahi does):

tw:/home/bor # ip maddress show dev enp0s5
3:	enp0s5
	link  01:00:5e:00:00:01
	link  33:33:00:00:00:01
	link  33:33:ff:89:87:bc
	inet  224.0.0.1
	inet6 ff02::1:ff89:87bc
	inet6 ff02::1
	inet6 ff01::1
tw:/home/bor #

bor@tw:~> python
Python 2.7.18 (default, Apr 23 2020, 09:27:04) [GCC] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> import struct
>>> s = socket.socket (socket.AF_INET, socket.SOCK_DGRAM)
>>> s.bind (("0.0.0.0", 5353))
>>> req = struct.pack ("=4sl", socket.inet_aton("224.0.0.251"),
socket.INADDR_ANY)
>>> s.setsockopt (socket.SOL_IP, socket.IP_ADD_MEMBERSHIP, req)
>>>

tw:/home/bor # ss -4lunp
State     Recv-Q    Send-Q        Local Address:Port       Peer
Address:Port    Process
UNCONN    0         0                   0.0.0.0:5353
0.0.0.0:*        users:(("python",pid=8420,fd=3))
tw:/home/bor # ip maddress show dev enp0s5
3:	enp0s5
	link  01:00:5e:00:00:01
	link  33:33:00:00:00:01
	link  33:33:ff:89:87:bc
	link  01:00:5e:00:00:fb
	inet  224.0.0.251
	inet  224.0.0.1
	inet6 ff02::1:ff89:87bc
	inet6 ff02::1
	inet6 ff01::1
tw:/home/bor #

Let's try to resolve again

tw:/home/bor # dig -p 5353 @224.0.0.251 leap15.local +short

; <<>> DiG 9.16.4 <<>> -p 5353 @224.0.0.251 leap15.local +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
tw:/home/bor #

and checking what happens is expectations get deleted immediately

tw:/home/bor # conntrack -E expect
    [NEW] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=56327 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=56327 dport=5353
PERMANENT class=0 helper=mdns
[DESTROY] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=56327 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=56327 dport=5353
PERMANENT class=0 helper=mdns
    [NEW] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=56327 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=56327 dport=5353
PERMANENT class=0 helper=mdns
[DESTROY] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=56327 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=56327 dport=5353
PERMANENT class=0 helper=mdns
    [NEW] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=56327 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=56327 dport=5353
PERMANENT class=0 helper=mdns
[DESTROY] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=56327 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=56327 dport=5353
PERMANENT class=0 helper=mdns
    [NEW] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=56327 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=56327 dport=5353
PERMANENT class=0 helper=mdns
[DESTROY] 30 proto=17 src=0.0.0.0 dst=169.254.33.186 sport=5353
dport=56327 mask-src=0.0.0.0 mask-dst=0.0.0.0 sport=65535 dport=65535
master-src=169.254.33.186 master-dst=224.0.0.251 sport=56327 dport=5353
PERMANENT class=0 helper=mdns
^Cconntrack v1.4.6 (conntrack-tools): 8 expectation events have been shown.
tw:/home/bor #

This is real life issue, as lot of distributions have Avahi enabled by
default, Avahi registers multicast group as the first thing so discovery
fails as long as Avahi daemon is running which is default.

bor@tw:~> uname -a
Linux tw.0.2.15 5.7.5-1-default #1 SMP Tue Jun 23 06:00:46 UTC 2020
(a1775d0) x86_64 x86_64 x86_64 GNU/Linux
bor@tw:~>