firewall: Allow IGMP and MLD input on WAN

The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.

RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

SVN-Revision: 45613
master
Steven Barth 10 years ago
parent 336fc7a702
commit d534883a52
  1. 19
      package/network/config/firewall/files/firewall.config

@ -46,6 +46,13 @@ config rule
option family ipv4 option family ipv4
option target ACCEPT option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies # Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381 # see https://dev.openwrt.org/ticket/10381
config rule config rule
@ -59,6 +66,18 @@ config rule
option family ipv6 option family ipv6
option target ACCEPT option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic # Allow essential incoming IPv6 ICMP traffic
config rule config rule
option name Allow-ICMPv6-Input option name Allow-ICMPv6-Input

Loading…
Cancel
Save