The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.
RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.
Signed-off-by: Linus Lüssing <linus.luess...@c0d3.blue>
---
v2 of "[PATCH] firewall: Allow MLD input on WAN":
* Allow IGMP too
* Added note about RFC4890
.../network/config/firewall/files/firewall.config | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/package/network/config/firewall/files/firewall.config
b/package/network/config/firewall/files/firewall.config
index d149e77..1a20e39 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -46,6 +46,13 @@ config rule
option family ipv4
option target ACCEPT
+config rule
+ option name Allow-IGMP
+ option src wan
+ option proto igmp
+ option family ipv4
+ option target ACCEPT
+
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
@@ -59,6 +66,18 @@ config rule
option family ipv6
option target ACCEPT
+config rule
+ option name Allow-MLD
+ option src wan
+ option proto icmp
+ option src_ip fe80::/10
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family ipv6
+ option target ACCEPT
+
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
--
1.7.10.4
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
