MLDv1 listener reports are not blocked when using use_vmac

[atonkyra]

Describe the bug
There was earlier work to block MLD listener reports from the vmac interface using nftables/iptables but it seems to only target MLDv2 listener reports (at least on nftables). MLDv1 listener reports are still sent unfiltered and might cause a brief MAC flap.

To Reproduce
Enable use_vmac and monitor what traffic is being sent. At regular (rare) intervals MLDv1 listener reports may be seen.

Expected behavior
MLDv1 listener reports would be blocked too.

Keepalived version

Keepalived v2.3.1 (05/24,2024)

Copyright(C) 2001-2024 Alexandre Cassen, <acassen@gmail.com>

Built with kernel headers for Linux 6.8.11
Running on Linux 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)
Distro: Debian GNU/Linux trixie/sid

configure options: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --enable-snmp --enable-sha1 --enable-snmp-rfcv2 --enable-snmp-rfcv3 --enable-dbus --enable-json --enable-bfd --enable-regex --enable-log-file --with-init=systemd build_alias=x86_64-linux-gnu CFLAGS=-g -O2 -Werror=implicit-function-declaration  -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection LDFLAGS=-Wl,-z,relro CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2

Config options:  NFTABLES LVS REGEX VRRP VRRP_AUTH VRRP_VMAC JSON BFD OLD_CHKSUM_COMPAT SNMP_V3_FOR_V2 SNMP_VRRP SNMP_CHECKER SNMP_RFCV2 SNMP_RFCV3 DBUS FILE_LOGGING LOG_FILE_APPEND INIT=systemd SYSTEMD_NOTIFY

System options:  VSYSLOG MEMFD_CREATE IPV6_MULTICAST_ALL IPV4_DEVCONF LIBNL3 RTA_ENCAP RTA_EXPIRES RTA_NEWDST RTA_PREF FRA_SUPPRESS_PREFIXLEN FRA_SUPPRESS_IFGROUP FRA_TUN_ID RTAX_CC_ALGO RTAX_QUICKACK RTEXT_FILTER_SKIP_STATS FRA_L3MDEV FRA_UID_RANGE RTAX_FASTOPEN_NO_COOKIE RTA_VIA FRA_PROTOCOL FRA_IP_PROTO FRA_SPORT_RANGE FRA_DPORT_RANGE RTA_TTL_PROPAGATE IFA_FLAGS LWTUNNEL_ENCAP_MPLS LWTUNNEL_ENCAP_ILA NET_LINUX_IF_H_COLLISION LIBIPVS_NETLINK IPVS_DEST_ATTR_ADDR_FAMILY IPVS_SYNCD_ATTRIBUTES IPVS_64BIT_STATS IPVS_TUN_TYPE IPVS_TUN_CSUM IPVS_TUN_GRE VRRP_IPVLAN IFLA_LINK_NETNSID GLOB_BRACE GLOB_ALTDIRFUNC INET6_ADDR_GEN_MODE VRF SO_MARK

Distro (please complete the following information):

• Name: Debian
• Version: Trixie
• Architecture: x86_64

Details of any containerisation or hosted service (e.g. AWS)
n/a

Configuration file:

global_defs {
   router_id 100.127.0.2
   dynamic_interfaces
}

vrrp_instance VI_1v4 {
    state BACKUP
    interface br0
    virtual_router_id 1
    use_vmac vrrp1v4
    priority 100
    advert_int 1

    virtual_ipaddress {
        100.64.0.1/16
    }
}

vrrp_instance VI_1v6 {
    state BACKUP
    interface br0
    virtual_router_id 1
    use_vmac vrrp1v6
    priority 100
    advert_int 1

    virtual_ipaddress {
        fe80::1/64
        fd00:1234:564:1::1/64
    }
}

Notify and track scripts

n/a

System Log entries

n/a

Did keepalived coredump?

n/a

Additional context
As a temporary fix I could do a nftables rule in the output chain like:

oifname vrrp1v6 icmpv6 type mld-listener-report counter drop

And see the counter incrementing and after this no MLDv1 messages are seen. Maybe the rules injected by keepalived should include mld-listener-report in addition to mld2-listener-report?