From d534883a52925f39c2579e8da45fab7ca57ad84b Mon Sep 17 00:00:00 2001
From: Steven Barth <cyrus@openwrt.org>
Date: Tue, 5 May 2015 13:22:41 +0000
Subject: [PATCH] firewall: Allow IGMP and MLD input on WAN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.

RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

SVN-Revision: 45613
---
 .../config/firewall/files/firewall.config     | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index d149e77957..1a20e39ca5 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -46,6 +46,13 @@ config rule
 	option family		ipv4
 	option target		ACCEPT
 
+config rule
+	option name		Allow-IGMP
+	option src		wan
+	option proto		igmp
+	option family		ipv4
+	option target		ACCEPT
+
 # Allow DHCPv6 replies
 # see https://dev.openwrt.org/ticket/10381
 config rule
@@ -59,6 +66,18 @@ config rule
 	option family		ipv6
 	option target		ACCEPT
 
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
 # Allow essential incoming IPv6 ICMP traffic
 config rule
 	option name		Allow-ICMPv6-Input
-- 
GitLab