Re: [PATCH] net: ipv4: igmp: add sysctl option to ignore inbound llm_reports

[Jakub Kicinski]

On Wed, 15 Apr 2026 12:26:13 +0200 Steffen Trumtrar wrote:
> Add a new sysctl option 'igmp_link_local_mcast_reports_drop' that allows
> dropping inbound IGMP reports for link-local multicast groups in the
> 224.0.0.X range. This can be used to prevent the local system from
> processing IGMP reports for link local multicast groups and therefore
> let the kernel still send the own outbound IGMP reports.

+Ido to CC

I'm not sure what is reasonable here and what should be a firewall rule.
Either way:

## Form letter - net-next-closed

We have already submitted our pull request with net-next material for
v7.1, and therefore net-next is closed for new drivers, features, code
refactoring and optimizations. We are currently accepting bug fixes
only.

Please repost when net-next reopens after Apr 27th.

RFC patches sent for review only are obviously welcome at any time.

See:
https://www.kernel.org/doc/html/next/process/maintainer-netdev.html#development-cycle

>  Documentation/networking/ip-sysctl.rst                       | 12 ++++++++++++
>  .../networking/net_cachelines/netns_ipv4_sysctl.rst          |  1 +
>  include/net/netns/ipv4.h                                     |  1 +
>  net/ipv4/af_inet.c                                           |  1 +
>  net/ipv4/igmp.c                                              |  2 ++
>  net/ipv4/sysctl_net_ipv4.c                                   |  7 +++++++
>  6 files changed, 24 insertions(+)
> 
> diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
> index 6921d8594b849..2da4cd6ac7202 100644
> --- a/Documentation/networking/ip-sysctl.rst
> +++ b/Documentation/networking/ip-sysctl.rst
> @@ -2306,6 +2306,18 @@ igmp_link_local_mcast_reports - BOOLEAN
>  
>  	Default TRUE
>  
> +igmp_link_local_mcast_reports_drop - BOOLEAN
> +	Drop inbound IGMP reports for link local multicast groups in
> +	the 224.0.0.X range. When enabled, IGMP membership reports for
> +	link local multicast addresses are silently dropped without
> +	processing.
> +	When the kernel gets inbound IGMP reports it stops sending own
> +	IGMP reports. With allowing to drop and process the inbound reports,
> +	the kernel will not stop sending the own reports, even when IGMP
> +	reports from other hosts are seen on the network.
> +
> +	Default FALSE
> +
>  Alexey Kuznetsov.
>  kuznet@xxxxxxxxxxxxx
>  
> diff --git a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
> index beaf1880a19bf..703afe2ba063b 100644
> --- a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
> +++ b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
> @@ -140,6 +140,7 @@ int                             sysctl_udp_rmem_min
>  u8                              sysctl_fib_notify_on_flag_change
>  u8                              sysctl_udp_l3mdev_accept
>  u8                              sysctl_igmp_llm_reports
> +u8                              sysctl_igmp_llm_reports_drop
>  int                             sysctl_igmp_max_memberships
>  int                             sysctl_igmp_max_msf
>  int                             sysctl_igmp_qrv
> diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
> index 8e971c7bf1646..1453f825ffd4d 100644
> --- a/include/net/netns/ipv4.h
> +++ b/include/net/netns/ipv4.h
> @@ -258,6 +258,7 @@ struct netns_ipv4 {
>  	u8 sysctl_igmp_llm_reports;
>  	int sysctl_igmp_max_memberships;
>  	int sysctl_igmp_max_msf;
> +	u8 sysctl_igmp_llm_reports_drop;
>  	int sysctl_igmp_qrv;
>  
>  	struct ping_group_range ping_group_range;
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index c7731e300a442..b8f96a5d8afdc 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -1825,6 +1825,7 @@ static __net_init int inet_init_net(struct net *net)
>  	net->ipv4.sysctl_igmp_max_msf = 10;
>  	/* IGMP reports for link-local multicast groups are enabled by default */
>  	net->ipv4.sysctl_igmp_llm_reports = 1;
> +	net->ipv4.sysctl_igmp_llm_reports_drop = 0;
>  	net->ipv4.sysctl_igmp_qrv = 2;
>  
>  	net->ipv4.sysctl_fib_notify_on_flag_change = 0;
> diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
> index a674fb44ec25b..3a4932e4108bd 100644
> --- a/net/ipv4/igmp.c
> +++ b/net/ipv4/igmp.c
> @@ -931,6 +931,8 @@ static bool igmp_heard_report(struct in_device *in_dev, __be32 group)
>  	if (ipv4_is_local_multicast(group) &&
>  	    !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
>  		return false;
> +	if (READ_ONCE(net->ipv4.sysctl_igmp_llm_reports_drop))
> +		return true;
>  
>  	rcu_read_lock();
>  	for_each_pmc_rcu(in_dev, im) {
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index 5654cc9c8a0b9..24dde84d289e4 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -948,6 +948,13 @@ static struct ctl_table ipv4_net_table[] = {
>  		.mode		= 0644,
>  		.proc_handler	= proc_dou8vec_minmax,
>  	},
> +	{
> +		.procname	= "igmp_link_local_mcast_reports_drop",
> +		.data		= &init_net.ipv4.sysctl_igmp_llm_reports_drop,
> +		.maxlen		= sizeof(u8),
> +		.mode		= 0644,
> +		.proc_handler	= proc_dou8vec_minmax,
> +	},
>  	{
>  		.procname	= "igmp_max_memberships",
>  		.data		= &init_net.ipv4.sysctl_igmp_max_memberships,
> 
> ---
> base-commit: 028ef9c96e96197026887c0f092424679298aae8
> change-id: 20260415-v7-0-topic-igmp-llm-drop-e4c13dbf17cc
> 
> Best regards,
> --  
> Steffen Trumtrar <s.trumtrar@xxxxxxxxxxxxxx>
> 
-- 
pw-bot: defer
pv-bot: closed