Static multicast routing for UNIX
SMCRoute is a static multicast routing daemon providing fine grained control over the multicast forwarding cache (MFC) in the UNIX kernel. Both IPv4 and IPv6 are fully supported.
SMCRoute can be used as an alternative to dynamic multicast routers like mrouted, pimd, or pim6sd in setups where static multicast routes should be maintained and/or no proper IGMP or MLD signaling exists.
Multicast routes exist in the UNIX kernel as long as a multicast routing daemon runs. On Linux, multiple multicast routers can run simultaneously using different multicast routing tables.
All features, except mrdisc, are supported for both IPv4 and IPv6. Please note, some features may not be available on systems other than Linux. E.g., FreeBSD does not have SSM group join support.
(*,G)based static routing, including support for
Note:smcroutectlcan be used to freely modify the runtime state ofsmcrouted, but any changes made (routes/groups) are lost when the configuration is reloaded. This is by design.
smcrouted [-nNhsv] [-c SEC] [-d SEC] [-e CMD] [-f FILE] [-i NAME] [-l LVL] [-p USER:GROUP] [-P FILE] [-t ID] [-u FILE]
smcroutectl [-dptv] [-i NAME] [-u FILE] [COMMAND] smcroutectl ⟨kill | reload⟩ smcroutectl ⟨add | rem⟩ ⟨ROUTE⟩ smcroutectl ⟨join | leave⟩ ⟨GROUP⟩ smcroutectl show [ routes | groups]
To set multicast routes and join groups you must first start the daemon, which needs root privileges, or
smcrouted -nto run the daemon in the foreground, as required by modern init daemons like systemd and Finit.
When started from systemd,
smcroutedrusn with the
-n -soptions, i.e. supervised in the foreground and uses syslog for logging output. The default log level is
INFO, this can be adjusted using the file
When configured with
--sysconfdir=/etc, like most Linux distributions do,
/etc/smcroute.conf, which can look something like this:
mgroup from eth0 group 188.8.131.52 mgroup from eth0 group 184.108.40.206 source 192.168.1.42 mroute from eth0 group 220.127.116.11 source 192.168.1.42 to eth1 eth2
The first line means "Join multicast group 18.104.22.168 on interface eth0". Useful if
eth0is not directly connected to the source, but to a LAN with switches with IGMP snooping. Joining the group opens up multicast for that group towards
eth0. See below Caveat for limitations.
mgroupis for source specific group join, i.e. the host specifies that it wants packets from 192.168.1.42 and no other source.
mrouteline is the actual layer-3 routing entry. Here we say that multicast data originating from 192.168.1.42 on
eth0to the multicast group 22.214.171.124 should be forwarded to interfaces
Note: To test the above you can use ping from another device. The multicast should be visible as long as your IP# matches the source above and you ping 126.96.36.199 -- REMEMBER TO SET THE TTL >1
ping -I eth0 -t 2 188.8.131.52
The TTL is what usually bites people first trying out multicast routing. Most TCP/IP stacks default to a TTL of 1 for multicast frames, e.g. ping above requires
-t 2, or greater. This limitation is intentional and reduces the risk of someone accidentally flooding multicast. Remember, multicast behaves like broadcast unless limited.
The TTL should preferably be set on the sender side, e.g. the camera, but can also be modified in the firewall on a router. Be careful though because the TTL is the only thing that helps prevent routing loops! On Linux the following
iptablescommand can be used to change the TTL:
iptables -t mangle -A PREROUTING -i eth0 -d 184.108.40.206 -j TTL --ttl-inc 1
Some commands, like this one, must usually be run with root privileges or the correct set of capabilities.
On some platforms there is a limit of 20 groups per socket. This stems from a limit in BSD UNIX, which also affects Linux. The setting that controls this is
IP_MAX_MEMBERSHIPTS, defined in the system header file
netinet/in.h. Linux users can tweak this with the following
echo 40 > /proc/sys/net/ipv4/igmp_max_memberships
smcroutedprobes this at runtime by attempting to join as many groups as possible (as have been requested), when the kernel accepts no further joins on a socket,
smcroutedopens a new one.
For large setups it is recommended to investigate enabling multicast router ports in the switches, either statically or by enabling support for multicast router discovery, RFC 4286, or possibly use a dynamic multicast routing protocol.
smcrouted -e /path/to/script
-e CMDa user script or command can be called when
SIGHUPor installs a multicast route to the kernel. This is useful if you, for instance, also run a NAT firewall and need to flush connection tracking after installing a multicast route.
-Ncommand line option SMCRoute does not prepare all system interfaces for multicast routing. Very useful if your system has a lot of interfaces but only a select few are required for multicast routing. Use the following in
/etc/smcroute.confto enable interfaces:
phyint eth0 enable phyint eth1 enable phyint eth2 enable
It is possible to use any interface that supports the
Note, however, that depending on the UNIX kernel in use, you may have to have an interface address set, in the relevant address family, and the interface may likely also have to be
On Linux it is possible to run multiple multicast routing daemons due to its support for multiple multicast routing tables. In such setups it may be useful to change the default identity of SMCRoute:
smcrouted -i mrt1 -t 1 smcrouted -i mrt2 -t 2
-i NAMEoption alters the default syslog name, config file, PID file, and client socket file name used. In the first instance above,
and syslog messages will use the
mrt1identity as well. Remember to use the same
-i NAMEalso to
SMCRoute also has a client interface to interact with the daemon:
smcroutectl join eth0 220.127.116.11 smcroutectl add eth0 192.168.1.42 18.104.22.168 eth1 eth2
If the daemon runs with a different identity the client needs to be called using the same identity:
smcrouted -i mrt smcroutectl -i mrt show
There are more commands. See the man page or the online help for details:
Note: Root privileges are required by default forsmcroutectldue to the IPC socket permissions.
Multicast often originates from different sources but usually not at the same time. For a more generic setup, and to reduce the number of rules required, it is possible to set
(*,G)multicast routes for both IPv4 and IPv6. Variants include
(S/LEN,G/LEN. These wildcard routes are used as "templates" to match against and install proper
(S,G)routes when the kernel informs
smcroutedof inbound multicast from new sources.
phyint eth0 enable mrdisc phyint eth1 enable phyint eth1 enable
mgroup from eth0 group 22.214.171.124 mroute from eth0 group 126.96.36.199 to eth1 eth2
or, from the command line:
# smcroutectl join eth0 188.8.131.52 # smcroutectl add eth0 184.108.40.206 eth1 eth2
Also, see the
smcrouted -c SECoption for periodic flushing of learned
(*,G)rules, including the automatic blocking of unknown multicast, and the
configure --enable-mrdisc. When enabled it periodically sends out an IGMP message on inbound interfaces¹ to alert switches to open up multicast in that direction. Not many managed switches have support for this yet.
Note: mrdisc only works on Linux due toSO_BINDTODEVICE.
¹ Notice the
mrdiscflag to the above
phyint eth0directive, which is missing for
SMCRoute should in theory work on any UNIX like operating system which supports the BSD MROUTING API. Both Linux and FreeBSD are tested on a regular basis.
On Linux the following kernel config is required:
CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y CONFIG_IP_MROUTE_MULTIPLE_TABLES=y # For multiple routing tables CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y # For multiple routing tables
On *BSD the following kernel config is required:
options MROUTING # Multicast routing options PIM # pimd extensions used for (*,G) support
FreeBSD support module loading,
Check the list of multicast capable interfaces:
or look for interfaces with the
MULTICASTflag in the output from:
Some interfaces have the
MULTICASTflag disabled by default, like
greN. Usually this flag can be enabled administratively.
The GNU Configure & Build system use
/usr/localas the default install prefix. In many cases this is useful, but this means the configuration files, cache, and PID files will also use that prefix. Most users have come to expect those files in
/var/and configure has a few useful options that are recommended to use. For SMCRoute you may want to use something like this:
./configure --prefix=/usr --sysconfdir=/etc --runstatedir=/var/run make -j5 sudo make install-strip
Usually your system reserves
/usrfor native pacakges, so most users drop
--prefix, installing to
/usr/local, or use
Note: On some systems
--runstatedirmay not be available in the configure script, try
As of SMCRoute v2.2 support for privilege separation using the
libcaplibrary was added. It is used to drop full root privileges at startup, retaining only
CAP_NET_ADMINfor managing the multicast routes.
The build system searches for the
libcaplibrary and header file(s). Both
Note: Although support is automatically detected, the build system will issue a warning if
libcapis missing. This can be silenced with
For systemd integration
pkg-configare required. When the unit file is installed,
systemctlcan be used to enable and start
$ sudo systemctl enable smcroute.service $ sudo systemctl start smcroute.service
Check that it started properly by inspecting the system log, or:
$ sudo systemctl status smcroute.service
Some people want to build statically, to do this with
autoconfadd the following
LDFLAGS=after the configure script. You may also need to add
LIBS=..., which will depend on your particular system:
./configure LDFLAGS="-static" ...
configurescript and the
Makefile.infiles are generated and not stored in GIT. So if you checkout the sources from GitHub you first need to generated these files using
SMCRoute is maintained collaboratively at GitHub. Bug reports, feature requests, patches/pull requests, and documentation fixes are most welcome. The project was previously hosted and maintained by Debian at Alioth and before that by Carsten Schill, the original author.