igmpproxy: drop SSDP packets
authorDmitry Tunin <hanipouspilot@gmail.com>
Sat, 28 Jul 2018 14:48:42 +0000 (17:48 +0300)
committerJohn Crispin <john@phrozen.org>
Mon, 30 Jul 2018 08:43:36 +0000 (10:43 +0200)
It is insecure to let this type of packets inside
They can e.g. open ports on some other routers with UPnP, etc

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
package/network/services/igmpproxy/Makefile
package/network/services/igmpproxy/files/igmpproxy.init

index d06402a..488de66 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=igmpproxy
 PKG_VERSION:=0.2.1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/pali/igmpproxy/releases/download/${PKG_VERSION}/
index 37fe62a..c4af430 100644 (file)
@@ -68,6 +68,18 @@ igmp_add_firewall_routing() {
 
        [[ "$direction" = "downstream" && ! -z "$zone" ]] || return 0
 
+# First drop SSDP packets then accept all other multicast
+
+       json_add_object ""
+       json_add_string type rule
+       json_add_string src "$upstream"
+       json_add_string dest "$zone"
+       json_add_string family ipv4
+       json_add_string proto udp
+       json_add_string dest_ip "239.255.255.250"
+       json_add_string target DROP
+       json_close_object
+
        json_add_object ""
        json_add_string type rule
        json_add_string src "$upstream"