firewall: Allow IGMP and MLD input on WAN
authorSteven Barth <cyrus@openwrt.org>
Tue, 5 May 2015 13:22:41 +0000 (13:22 +0000)
committerSteven Barth <cyrus@openwrt.org>
Tue, 5 May 2015 13:22:41 +0000 (13:22 +0000)
The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.

RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.

Signed-off-by: Linus L├╝ssing <linus.luessing@c0d3.blue>
SVN-Revision: 45613

package/network/config/firewall/files/firewall.config

index d149e77..1a20e39 100644 (file)
@@ -46,6 +46,13 @@ config rule
        option family           ipv4
        option target           ACCEPT
 
+config rule
+       option name             Allow-IGMP
+       option src              wan
+       option proto            igmp
+       option family           ipv4
+       option target           ACCEPT
+
 # Allow DHCPv6 replies
 # see https://dev.openwrt.org/ticket/10381
 config rule
@@ -59,6 +66,18 @@ config rule
        option family           ipv6
        option target           ACCEPT
 
+config rule
+       option name             Allow-MLD
+       option src              wan
+       option proto            icmp
+       option src_ip           fe80::/10
+       list icmp_type          '130/0'
+       list icmp_type          '131/0'
+       list icmp_type          '132/0'
+       list icmp_type          '143/0'
+       option family           ipv6
+       option target           ACCEPT
+
 # Allow essential incoming IPv6 ICMP traffic
 config rule
        option name             Allow-ICMPv6-Input