firewall: Allow IGMP and MLD input on WAN

The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.

RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@45613 3c298f89-4303-0410-b956-a3cf2f4a3e73

diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index d149e77..1a20e39 100644 (file)
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -46,6 +46,13 @@ config rule
        option family           ipv4
        option target           ACCEPT
 
+config rule
+       option name             Allow-IGMP
+       option src              wan
+       option proto            igmp
+       option family           ipv4
+       option target           ACCEPT
+
 # Allow DHCPv6 replies
 # see https://dev.openwrt.org/ticket/10381
 config rule
@@ -59,6 +66,18 @@ config rule
        option family           ipv6
        option target           ACCEPT
 
+config rule
+       option name             Allow-MLD
+       option src              wan
+       option proto            icmp
+       option src_ip           fe80::/10
+       list icmp_type          '130/0'
+       list icmp_type          '131/0'
+       list icmp_type          '132/0'
+       list icmp_type          '143/0'
+       option family           ipv6
+       option target           ACCEPT
+
 # Allow essential incoming IPv6 ICMP traffic
 config rule
        option name             Allow-ICMPv6-Input