From 5bb4316f717b498c56bfe4c0fbc5842c9035a20a Mon Sep 17 00:00:00 2001 From: Jan-Philipp Litza Date: Tue, 2 Feb 2016 13:03:41 +0100 Subject: [PATCH] gluon-neighbour-info: Open firewall on WAN for respondd replies If the query was via multicast, the response isn't matched by --state ESTABLISHED,RELATED This fixes #619 --- package/gluon-neighbour-info/Makefile | 2 ++ .../gluon/upgrade/400-neighbour-info-firewall | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100755 package/gluon-neighbour-info/files/lib/gluon/upgrade/400-neighbour-info-firewall diff --git a/package/gluon-neighbour-info/Makefile b/package/gluon-neighbour-info/Makefile index 74aa6e8f..63586920 100644 --- a/package/gluon-neighbour-info/Makefile +++ b/package/gluon-neighbour-info/Makefile @@ -32,6 +32,8 @@ define Build/Compile endef define Package/gluon-neighbour-info/install + $(CP) ./files/* $(1)/ + $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_BUILD_DIR)/gluon-neighbour-info $(1)/usr/bin/ endef diff --git a/package/gluon-neighbour-info/files/lib/gluon/upgrade/400-neighbour-info-firewall b/package/gluon-neighbour-info/files/lib/gluon/upgrade/400-neighbour-info-firewall new file mode 100755 index 00000000..a6d7f490 --- /dev/null +++ b/package/gluon-neighbour-info/files/lib/gluon/upgrade/400-neighbour-info-firewall @@ -0,0 +1,20 @@ +#!/usr/bin/lua + +local uci = require('luci.model.uci').cursor() + +-- Allow incoming respondd replies to queries on WAN +-- If the query was via multicast, the response isn't matched by --state RELATED +uci:section('firewall', 'rule', 'wan_respondd_reply', + { + name = 'wan_respondd_reply', + src = 'wan', + src_ip = 'fe80::/64', + src_port = '1001', + dest_port = '32768:61000', -- see /proc/sys/net/ipv4/ip_local_port_range + proto = 'udp', + target = 'ACCEPT', + } +) + +uci:save('firewall') +uci:commit('firewall')