aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Tunin <hanipouspilot@gmail.com>2018-07-28 17:48:42 +0300
committerJohn Crispin <john@phrozen.org>2018-07-30 10:43:36 +0200
commitc128371124ce4d197a5fbc00e42b58e9d82c571e (patch)
treeb21ff50227d024f6a242358257e7978ef57c3bf0
parent53a45020135b504cb4bee0fa8d98c8eaf6391066 (diff)
downloadupstream-c128371124ce4d197a5fbc00e42b58e9d82c571e.tar.gz
upstream-c128371124ce4d197a5fbc00e42b58e9d82c571e.tar.bz2
upstream-c128371124ce4d197a5fbc00e42b58e9d82c571e.zip
igmpproxy: drop SSDP packets
It is insecure to let this type of packets inside They can e.g. open ports on some other routers with UPnP, etc Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
-rw-r--r--package/network/services/igmpproxy/Makefile2
-rw-r--r--package/network/services/igmpproxy/files/igmpproxy.init12
2 files changed, 13 insertions, 1 deletions
diff --git a/package/network/services/igmpproxy/Makefile b/package/network/services/igmpproxy/Makefile
index d06402a267..488de6630d 100644
--- a/package/network/services/igmpproxy/Makefile
+++ b/package/network/services/igmpproxy/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=igmpproxy
PKG_VERSION:=0.2.1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/pali/igmpproxy/releases/download/${PKG_VERSION}/
diff --git a/package/network/services/igmpproxy/files/igmpproxy.init b/package/network/services/igmpproxy/files/igmpproxy.init
index 37fe62ad1b..c4af430681 100644
--- a/package/network/services/igmpproxy/files/igmpproxy.init
+++ b/package/network/services/igmpproxy/files/igmpproxy.init
@@ -68,6 +68,18 @@ igmp_add_firewall_routing() {
[[ "$direction" = "downstream" && ! -z "$zone" ]] || return 0
+# First drop SSDP packets then accept all other multicast
+
+ json_add_object ""
+ json_add_string type rule
+ json_add_string src "$upstream"
+ json_add_string dest "$zone"
+ json_add_string family ipv4
+ json_add_string proto udp
+ json_add_string dest_ip "239.255.255.250"
+ json_add_string target DROP
+ json_close_object
+
json_add_object ""
json_add_string type rule
json_add_string src "$upstream"