gluon-respondd: allow access to respondd from mesh-internal addresses

like site.prefix6 and babel_mesh.prefix

package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall

@@ -1,6 +1,7 @@
 #!/usr/bin/lua
 
 local uci = require('simple-uci').cursor()
+local site = require('gluon.site')
 
 uci:delete('firewall', 'wan_announced')
 
@@ -14,7 +15,7 @@ uci:section('firewall', 'rule', 'wan_respondd', {
 	target = 'ACCEPT',
 })
 
--- Restrict respondd queries to link-local addresses to prevent amplification attacks from outside
+-- Allow respondd-access on client_local
 uci:section('firewall', 'rule', 'client_respondd', {
 	name = 'client_respondd',
 	src = 'client_local',
@@ -33,4 +34,13 @@ uci:section('firewall', 'rule',  'mesh_respondd_ll', {
 	target = 'ACCEPT',
 })
 
+uci:section('firewall', 'rule',  'mesh_respondd_siteprefix', {
+	name = 'mesh_respondd_siteprefix',
+	src = 'mesh',
+	src_ip = site.prefix6(),
+	dest_port = '1001',
+	proto = 'udp',
+	target = 'ACCEPT',
+})
+
 uci:save('firewall')