[OpenWrt-Devel] firewall: Allow MLD input on WAN

Message ID	1430556650-5689-1-git-send-email-linus.luessing@c0d3.blue
State	Superseded
Headers	show Return-Path: <openwrt-devel-bounces@lists.openwrt.org> rate: -7.6 From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue> To: openwrt-devel@lists.openwrt.org Date: Sat, 2 May 2015 10:50:50 +0200 Message-Id: <1430556650-5689-1-git-send-email-linus.luessing@c0d3.blue> MIME-Version: 1.0 Subject: [OpenWrt-Devel] [PATCH] firewall: Allow MLD input on WAN Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>

Message ID

1430556650-5689-1-git-send-email-linus.luessing@c0d3.blue

State

Superseded

Headers

From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
To: openwrt-devel@lists.openwrt.org
Date: Sat,  2 May 2015 10:50:50 +0200
Message-Id: <1430556650-5689-1-git-send-email-linus.luessing@c0d3.blue>
MIME-Version: 1.0
Subject: [OpenWrt-Devel] [PATCH] firewall: Allow MLD input on WAN
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: openwrt-devel-bounces@lists.openwrt.org
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>

Commit Message

Linus Lüssing May 2, 2015, 8:50 a.m. UTC

The WAN port should at least respond to MLD queries as otherwise
a snooping bridge/switch might drop traffic.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
---
 package/network/config/firewall/files/firewall.config |   12 ++++++++++++
 1 file changed, 12 insertions(+)

Comments

Steven Barth May 3, 2015, 2:43 p.m. UTC | #1

Hello Linus,

thanks for the patch. I have two questions here.

#1 Why should this be done for v6 but not for v4?

#2 If the intention is to respond to MLD queries why should the firewall 
allow reception of report messages?



Cheers,

Steven

Linus Lüssing May 3, 2015, 4:53 p.m. UTC | #2

Hi Steven,

On Sun, May 03, 2015 at 04:43:24PM +0200, Steven Barth wrote:
> Hello Linus,
> 
> thanks for the patch. I have two questions here.
> 
> #1 Why should this be done for v6 but not for v4?

woops, sorry, had the IGMP part for v4 in my test setup but forgot
to add it to the patch. Going to do that.

> 
> #2 If the intention is to respond to MLD queries why should the
> firewall allow reception of report messages?

Yes, responding to queries is the primary concern. Technically,
it doesn't make much of a difference to allow reception report
messages. The default in OpenWRT is to have the querier on the
bridge, so reports shouldn't arrive on the input chain of br-wan
anyways as the bridge won't forward them (see RFC4541,
"Considerations for Internet Group Management Protocol (IGMP)
and Multicast Listener Discovery (MLD) Snooping Switches").

On the other hand, there's RFC4890, "Recommendations for Filtering
ICMPv6 Messages in Firewalls" which says in section 4.3.3, that
firewalls mustn't drop either queries nor reports. MLD/IGMP traffic
shouldn't do any harm as it's always link-scoped.

Cheers, Linus

diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index d149e77..b9a48cd 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -59,6 +59,18 @@  config rule
 	option family		ipv6
 	option target		ACCEPT
 
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
 # Allow essential incoming IPv6 ICMP traffic
 config rule
 	option name		Allow-ICMPv6-Input

[OpenWrt-Devel] firewall: Allow MLD input on WAN

Commit Message

Comments

Patch