Message ID | 1430556650-5689-1-git-send-email-linus.luessing@c0d3.blue |
---|---|
State | Superseded |
Headers | show |
Hello Linus, thanks for the patch. I have two questions here. #1 Why should this be done for v6 but not for v4? #2 If the intention is to respond to MLD queries why should the firewall allow reception of report messages? Cheers, Steven
Hi Steven, On Sun, May 03, 2015 at 04:43:24PM +0200, Steven Barth wrote: > Hello Linus, > > thanks for the patch. I have two questions here. > > #1 Why should this be done for v6 but not for v4? woops, sorry, had the IGMP part for v4 in my test setup but forgot to add it to the patch. Going to do that. > > #2 If the intention is to respond to MLD queries why should the > firewall allow reception of report messages? Yes, responding to queries is the primary concern. Technically, it doesn't make much of a difference to allow reception report messages. The default in OpenWRT is to have the querier on the bridge, so reports shouldn't arrive on the input chain of br-wan anyways as the bridge won't forward them (see RFC4541, "Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches"). On the other hand, there's RFC4890, "Recommendations for Filtering ICMPv6 Messages in Firewalls" which says in section 4.3.3, that firewalls mustn't drop either queries nor reports. MLD/IGMP traffic shouldn't do any harm as it's always link-scoped. Cheers, Linus
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config index d149e77..b9a48cd 100644 --- a/package/network/config/firewall/files/firewall.config +++ b/package/network/config/firewall/files/firewall.config @@ -59,6 +59,18 @@ config rule option family ipv6 option target ACCEPT +config rule + option name Allow-MLD + option src wan + option proto icmp + option src_ip fe80::/10 + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family ipv6 + option target ACCEPT + # Allow essential incoming IPv6 ICMP traffic config rule option name Allow-ICMPv6-Input
The WAN port should at least respond to MLD queries as otherwise a snooping bridge/switch might drop traffic. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> --- package/network/config/firewall/files/firewall.config | 12 ++++++++++++ 1 file changed, 12 insertions(+)