[OpenWrt-Devel] [PATCH] firewall: Allow MLD input on WAN

Linus Lüssing linus.luessing at c0d3.blue
Sun May 3 12:53:49 EDT 2015

Hi Steven,

On Sun, May 03, 2015 at 04:43:24PM +0200, Steven Barth wrote:
> Hello Linus,
> thanks for the patch. I have two questions here.
> #1 Why should this be done for v6 but not for v4?

woops, sorry, had the IGMP part for v4 in my test setup but forgot
to add it to the patch. Going to do that.

> #2 If the intention is to respond to MLD queries why should the
> firewall allow reception of report messages?

Yes, responding to queries is the primary concern. Technically,
it doesn't make much of a difference to allow reception report
messages. The default in OpenWRT is to have the querier on the
bridge, so reports shouldn't arrive on the input chain of br-wan
anyways as the bridge won't forward them (see RFC4541,
"Considerations for Internet Group Management Protocol (IGMP)
and Multicast Listener Discovery (MLD) Snooping Switches").

On the other hand, there's RFC4890, "Recommendations for Filtering
ICMPv6 Messages in Firewalls" which says in section 4.3.3, that
firewalls mustn't drop either queries nor reports. MLD/IGMP traffic
shouldn't do any harm as it's always link-scoped.

Cheers, Linus
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list