From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 24 Jun 2015 16:39:24 +0000 (+0200)
Subject: firewall: Apply multicast rules to INPUT chain, too
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e39a4f148805c36c59850a114c3272f3ca20f5a;p=people%2Fms%2Fipfire-2.x.git

firewall: Apply multicast rules to INPUT chain, too

Rules with multicast destinations should also be applied to
the INPUT chain so that multicast packets from RED can be
received as well.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/cfgroot/network-functions.pl b/config/cfgroot/network-functions.pl
index 5cbf8fa93f..0714852dbc 100644
--- a/config/cfgroot/network-functions.pl
+++ b/config/cfgroot/network-functions.pl
@@ -246,6 +246,17 @@ sub ip_address_in_network($$) {
 	return (($address_bin ge $network_bin) && ($address_bin le $broadcast_bin));
 }
 
+sub ip_address_is_multicast($) {
+	my $network = shift;
+
+	# Get the first IP address from the network
+	unless (&check_ip_address($network)) {
+		$network = &get_netaddress($network);
+	}
+
+	return &ip_address_in_network($network, "224.0.0.0/4");
+}
+
 sub setup_upstream_proxy() {
 	my %proxysettings = ();
 	&General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
@@ -326,6 +337,12 @@ sub testsuite() {
 	$result = &ip_address_in_network("10.0.1.4", "10.0.0.0/8");
 	assert($result);
 
+	$result = &ip_address_is_multicast("224.0.0.0");
+	assert($result);
+
+	$result = &ip_address_is_multicast("224.1.2.3/30");
+	assert($result);
+
 	return 0;
 }
 
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index daa95651bb..b92679d3da 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -389,13 +389,19 @@ sub buildrules {
 					# Add ratelimiting option
 					push(@options, @ratelimit_options);
 
+					# Check for multicast destination
+					my $is_multicast = 0;
+					if ($destination) {
+						$is_multicast = &Network::ip_address_is_multicast($destination);
+					}
+
 					my $firewall_is_in_source_subnet = 1;
 					if ($source) {
 						$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
 					}
 
 					my $firewall_is_in_destination_subnet = 1;
-					if ($destination) {
+					if ($destination && !$is_multicast) {
 						$firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination);
 					}
 
@@ -502,7 +508,8 @@ sub buildrules {
 						# If the firewall is part of the destination subnet and access to the destination network
 						# is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
 						# for the firewall, too.
-						if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
+						# Multicast packages will also always be received by the firewall.
+						if (($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) || $is_multicast) {
 							if ($LOG && !$NAT) {
 								run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
 							}