[ip6] filter host originated multicast packets

etc/cmake/options.cmake

@@ -212,6 +212,7 @@ ot_option(OT_LINK_METRICS_INITIATOR OPENTHREAD_CONFIG_MLE_LINK_METRICS_INITIATOR
 ot_option(OT_LINK_METRICS_MANAGER  OPENTHREAD_CONFIG_LINK_METRICS_MANAGER_ENABLE "link metrics manager")
 ot_option(OT_LINK_METRICS_SUBJECT OPENTHREAD_CONFIG_MLE_LINK_METRICS_SUBJECT_ENABLE "link metrics subject")
 ot_option(OT_LINK_RAW OPENTHREAD_CONFIG_LINK_RAW_ENABLE "link raw service")
+ot_option(OT_LOCAL_HOST_MULTICAST_FILTER OPENTHREAD_CONFIG_FILTER_LOCAL_ORIGINATED_MULTICAST_PACKETS "filter local originated multicast packet")
 ot_option(OT_LOG_LEVEL_DYNAMIC OPENTHREAD_CONFIG_LOG_LEVEL_DYNAMIC_ENABLE "dynamic log level control")
 ot_option(OT_MAC_FILTER OPENTHREAD_CONFIG_MAC_FILTER_ENABLE "mac filter")
 ot_option(OT_MESH_DIAG OPENTHREAD_CONFIG_MESH_DIAG_ENABLE "mesh diag")

script/test

@@ -337,6 +337,7 @@ do_build_otbr_docker()
         "-DOT_COVERAGE=ON"
         "-DOT_DNS_CLIENT=ON"
         "-DOT_DUA=ON"
+        "-DOT_LOCAL_HOST_MULTICAST_FILTER=ON"
         "-DOT_MLR=ON"
         "-DOT_NETDATA_PUBLISHER=ON"
         "-DOT_SLAAC=ON"

src/core/backbone_router/multicast_listeners_table.cpp

@@ -308,6 +308,20 @@ Error MulticastListenersTable::GetNext(Listener::Iterator &aIterator, Listener::
     return error;
 }
 
+bool MulticastListenersTable::HasListener(const Ip6::Address &aAddress)
+{
+    for (uint16_t i = 0; i < mNumValidListeners; i++)
+    {
+        Listener &listener = mListeners[i];
+
+        if (listener.GetAddress() == aAddress)
+        {
+            return true;
+        }
+    }
+    return false;
+}
+
 } // namespace BackboneRouter
 
 } // namespace ot

src/core/backbone_router/multicast_listeners_table.hpp

@@ -197,6 +197,16 @@ class MulticastListenersTable : public InstanceLocator, private NonCopyable
      */
     Error GetNext(Listener::Iterator &aIterator, Listener::Info &aInfo);
 
+    /**
+     * Check if a given address has a listener
+     *
+     * @param[in] aAddress    An Ipv6 address
+     *
+     * @retval true           aAddress has a listener
+     * @retval false          aAddress doesn't have a listener
+     */
+    bool HasListener(const Ip6::Address &aAddress);
+
 private:
     static constexpr uint16_t kTableSize = OPENTHREAD_CONFIG_MAX_MULTICAST_LISTENERS;
 

src/core/net/ip6.cpp

@@ -35,6 +35,7 @@
 
 #include "backbone_router/bbr_leader.hpp"
 #include "backbone_router/bbr_local.hpp"
+#include "backbone_router/multicast_listeners_table.hpp"
 #include "backbone_router/ndproxy_table.hpp"
 #include "common/code_utils.hpp"
 #include "common/debug.hpp"
@@ -1068,6 +1069,22 @@ Error Ip6::SendRaw(OwnedPtr<Message> aMessagePtr)
 
     if (header.GetDestination().IsMulticast())
     {
+#if OPENTHREAD_CONFIG_FILTER_LOCAL_ORIGINATED_MULTICAST_PACKETS
+        // For multicast packets originated from this device, only forward to thread
+        // network if destination is in the multicast listener table
+        if (!aMessagePtr->IsOriginThreadNetif() && Get<ThreadNetif>().HasUnicastAddress(header.GetSource()))
+        {
+#if OPENTHREAD_CONFIG_BACKBONE_ROUTER_MULTICAST_ROUTING_ENABLE && OPENTHREAD_FTD && \
+    OPENTHREAD_CONFIG_BACKBONE_ROUTER_ENABLE
+            VerifyOrExit((header.GetDestination().IsMulticastLargerThanRealmLocal() &&
+                          Get<BackboneRouter::MulticastListenersTable>().HasListener(header.GetDestination())),
+                         error = kErrorDrop);
+#else
+            ExitNow(error = kErrorDrop);
+#endif
+        }
+#endif
+
         SuccessOrExit(error = InsertMplOption(*aMessagePtr, header));
     }
 

tests/scripts/thread-cert/backbone/test_mlr_multicast_routing_self_originated_packet.py

@@ -0,0 +1,116 @@
+#!/usr/bin/env python3
+#
+#  Copyright (c) 2023, The OpenThread Authors.
+#  All rights reserved.
+#
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions are met:
+#  1. Redistributions of source code must retain the above copyright
+#     notice, this list of conditions and the following disclaimer.
+#  2. Redistributions in binary form must reproduce the above copyright
+#     notice, this list of conditions and the following disclaimer in the
+#     documentation and/or other materials provided with the distribution.
+#  3. Neither the name of the copyright holder nor the
+#     names of its contributors may be used to endorse or promote products
+#     derived from this software without specific prior written permission.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS'
+#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+#  POSSIBILITY OF SUCH DAMAGE.
+#
+# This test verifies that the multicast packet originated from BBR is only
+# forwarded to thread network when the destination group address is in the
+# multicast listener table.
+#
+import unittest
+import sys
+
+import thread_cert
+import config
+from pktverify.consts import ICMPV6_TYPE_DESTINATION_UNREACHABLE
+from pktverify.packet_verifier import PacketVerifier
+
+PBBR = 1
+ROUTER = 2
+
+MA1 = 'ff04::10'
+MA2 = 'ff05::20'
+
+
+class TestMlrMulticastRoutingSelfOriginatedPacket(thread_cert.TestCase):
+    USE_MESSAGE_FACTORY = False
+
+    # Topology:
+    #
+    #    ------(eth)----------
+    #           |
+    #         PBBR---ROUTER
+    #
+    TOPOLOGY = {
+        PBBR: {
+            'name': 'PBBR',
+            'allowlist': [ROUTER],
+            'is_otbr': True,
+            'version': '1.2',
+        },
+        ROUTER: {
+            'name': 'ROUTER',
+            'allowlist': [PBBR],
+            'version': '1.2',
+        },
+    }
+
+    def test(self):
+        self.nodes[PBBR].start()
+        self.simulator.go(config.LEADER_STARTUP_DELAY)
+        self.assertEqual('leader', self.nodes[PBBR].get_state())
+        self.nodes[PBBR].enable_backbone_router()
+        self.simulator.go(3)
+        self.assertTrue(self.nodes[PBBR].is_primary_backbone_router)
+
+        self.nodes[ROUTER].start()
+        self.simulator.go(5)
+        self.assertEqual('router', self.nodes[ROUTER].get_state())
+
+        self.simulator.go(5)
+
+        self.collect_ipaddrs()
+
+        # Verify PBBR can send packets to mlr registered multicast address on Thread network
+        self.nodes[ROUTER].add_ipmaddr(MA1)
+        self.simulator.go(3)
+        self.assertTrue(self.nodes[PBBR].ping(MA1, backbone=True, ttl=10, interface=config.THREAD_IFNAME))
+
+        # Verify PBBR can't send packets to not registered multicast address on Thread network
+        self.assertFalse(self.nodes[PBBR].ping(MA2, backbone=True, ttl=10, interface=config.THREAD_IFNAME))
+
+    def verify(self, pv: PacketVerifier):
+        pkts = pv.pkts
+        pv.add_common_vars()
+        pv.summary.show()
+
+        with pkts.save_index():
+            pv.verify_attached('ROUTER')
+
+        PBBR = pv.vars['PBBR']
+        #PBBR_OMR = pv.vars['PBBR_OMR']
+
+        # PBBR should send ping request to MA1 to Thread network
+        pkts.filter_wpan_src64(PBBR).filter_AMPLFMA().filter(
+            lambda p: p.ipv6inner.dst == MA1).filter_ping_request().must_next()
+
+        # PBBR should not send ping request to MA2 to Thread network
+        pkts.filter_wpan_src64(PBBR).filter_AMPLFMA().filter(
+            lambda p: p.ipv6inner.dst == MA2).filter_ping_request().must_not_next()
+
+
+if __name__ == '__main__':
+    unittest.main()