From e5b4d25451c47e0585ce866318e4e70837d62b94 Mon Sep 17 00:00:00 2001 From: Christof Schulze Date: Sun, 6 Aug 2017 00:02:39 +0200 Subject: [PATCH] gluon-respondd: allow access to respondd from mesh-internal addresses --- .../luasrc/lib/gluon/upgrade/400-respondd-firewall | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall b/package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall index 757672ca..171eafca 100755 --- a/package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall +++ b/package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall @@ -1,6 +1,7 @@ #!/usr/bin/lua local uci = require('simple-uci').cursor() +local site = require('gluon.site') uci:delete('firewall', 'wan_announced') @@ -14,7 +15,7 @@ uci:section('firewall', 'rule', 'wan_respondd', { target = 'ACCEPT', }) --- Restrict respondd queries to link-local addresses to prevent amplification attacks from outside +-- Allow respondd-access on client_local uci:section('firewall', 'rule', 'client_respondd', { name = 'client_respondd', src = 'client_local', @@ -33,4 +34,13 @@ uci:section('firewall', 'rule', 'mesh_respondd_ll', { target = 'ACCEPT', }) +uci:section('firewall', 'rule', 'mesh_respondd_siteprefix', { + name = 'mesh_respondd_siteprefix', + src = 'mesh', + src_ip = site.prefix6(), + dest_port = '1001', + proto = 'udp', + target = 'ACCEPT', +}) + uci:save('firewall')