Add support for reflect-filter list in avahi daemon. #62
Conversation
…n fire and qnap nas devices.
This enhancement is provided courtesy of James Rudd <James.Rudd@sbhs.nsw.edu.au> and http://jrudd.org/2014/08/avahi-reflector-filtering-patch/ Allows Avahi-Daemon to filter which advertisements are added to the cache to be reflected to different networks. It checks incoming service names against a list defined in avahi-daemon.conf [reflector] reflect-filters. The list can be types of services or can contain hostnames to match. For example if we only allow AirPlay and AirTunes to be reflected between VLANs, so have "_airplay._tcp.local,_raop._tcp.local" set. For AirPrint set "_printer._tcp.local,_ipp._tcp.local,_pdl-datastream._tcp.local" Remember to set firewall to permit traffic between LANs for the corresponding ports. The patch will block the PTR and SRV advertisements but will still allow A records for machine name lookup. All locally published services are still published even if they do not match the filter. The filter also blocks local programs from seeing advertised programs so it is recommend to only enable it on a dedicated bonjour reflector server.
|
I hope this PR gets accepted, we have been using James' patch in our project, adding very useful functionality. Kudos to James and @dkerr64 . |
|
Thanks for putting this all together David. Hopefully will be accepted into base. |
…ed debug message for matches as well as rejects. I have found that it is extremely useful to see what mDNS-SD messages are matched or rejected in order to debug service discovery and therefore it is best if these messages can be turned on with the --debug flag as necessary.
|
I thought I would document a printer use case for this enhancement. By default avahi-daemon will reflect all mDNS-SD messages which will potentially cause many more services to be broadcast onto the guest VLAN which is undesirable. This enhancement lets you control which services are published onto the guest VLAN so that e.g. only printing services are published. For printers add the line... This in itself is not enough, you must also open up firewall ports to allow traffic from guest VLAN to the IP address of the printer(s). With iptables this would look like... Where 192.168.101.0/24 is guest network and 192.168.1.8 is IP address of printer on your main LAN. A similar method can be used to enable access to AirPlay devices, though the firewall rules are more complex. David |
|
As mentioned in my previous comment, AirPlay can also be enabled across LANs. In this example I have tested using the AirServer application on a Apple Mac, not with a genuine Apple TV. Different rules may be required for a genuine Apple TV. In avahi-daemon.conf... Firewall iptables rules... Where 192.168.101.0/24 is guest network and 192.168.1.5 is IP address of Mac running AirServer on your main LAN. Note, ports may be different for a real Apple TV or other AirPlay device (e.g. a AirPlay speaker) or any other mDNS-SD You can use tcpdump to identify them. You can also run avahi-daemon --debug to see which mDNS-SD messages are getting reflected or rejected, this can be helpful when initially setting up a new device to be reflected. David |
|
Thanks for your contribution, and testing reports. I would be happy to include this once I've reviewed it. I noticed at WWDC that Apple added support for Bluetooth beacons to show or highlight nearby printers from Bonjour.. I desperately hope they add this for airplay targets as well. |
…disable-publishing=yes is set in conf file. Fixes lathiat/avahi issue avahi#38
|
@lathiat any chance we can have this merged into the master please? We have been running this in production on astlinux (http://www.astlinux-project.org/) for close to 9 months now without problems. Thanks |
|
@lathiat Can you please review this pull request and comment or merge into the master please. |
|
@lathiat Can you please review this pull request and comment or merge into the master please.Thank you |
|
Sounds like a really good enhancement to Avahi. Thank you! |
|
Thank you. I just wish @lathiat would merge into master. |
…ahi#62, and used in Astlinux
|
I am looking for exactly this! I hope it gets merged soon. |
|
@dkerr64 I build from source with your patch and ran it, but unfortunately it is still reflecting all services, not only the once allowed with These are the steps I took to build from source: Did I do something wrong? |
|
Chris @cpoetter, thanks for posting your question. I tested on my network today and it is working as expected. I assume you have two networks (e.g. 192.168.1.0/24 and 192.168.2.0/24) and that avahi is running on a box that is connected to both? My conf file includes this section... [reflector] And I confirmed by connecting an iPhone to one network and using the Discovery app (https://itunes.apple.com/us/app/discovery-dns-sd-browser/id305441017?mt=8) and it only showed those devices from the other network that broadcast one of the above tags. If I comment out the reflect-filters statement and restart the daemon then dozens of Bonjour/DNS-SD names are visible. David. |
|
Chris @cpoetter, I should add that some devices, including iPhones/iPads/Macs cache Bonjour/DNS-SD replies.. so if you start out testing by reflecting everything, then change to a selective list, then that device will still have in its cache the full list. I don't know how long it takes for the cache to flush. |
This commit fixes the bug, when there is multiple records in the response (usually there are), and first record does not correspond to any of the configured services - originally, packet was getting dropped. With this fix current record is skipped, and the code looks further.
Filtering bugfix
|
I suggest splitting this pull request and moving the avahi-core/iface.c change which suppresses the spurious log messages into a separate PR. It has nothing to do with the feature being introduced here and will have better chances to get merged, IMHO. |
As this PR has been siting here for over 3 years without comment from @lathiat I doubt there is very much I could do short of appealing to him yet again to consider merging this. I will await his guidance. |
|
THANK YOU @lathiat |
|
Please excuse my ignorance but how do I apply this patch to my current Avahi running on Ubuntu 16..04? |
This enhancement is provided courtesy of James Rudd James.Rudd@sbhs.nsw.edu.au and http://jrudd.org/2014/08/avahi-reflector-filtering-patch/
Allows avahi-daemon to filter which advertisements are added to the cache to be reflected to different networks. It checks incoming service names against a list defined in avahi-daemon.conf [reflector] reflect-filters. The list can be types of services or can contain hostnames to match.
For example if we only allow AirPlay and AirTunes to be reflected between VLANs, so have "_airplay._tcp.local,_raop._tcp.local" set. For AirPrint set "_printer._tcp.local,_ipp._tcp.local,_pdl-datastream._tcp.local"
Remember to set firewall rules to permit traffic between LANs for the corresponding ports.
The patch will block the PTR and SRV advertisements but will still allow A records for machine name lookup. All locally published services are still published even if they do not match the filter. The filter also blocks local programs from seeing advertised programs so it is recommend to only enable it on a dedicated bonjour reflector server. This has been tested on both ipv4 and ipv6.