From 8e39a4f148805c36c59850a114c3272f3ca20f5a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 24 Jun 2015 18:39:24 +0200
Subject: [PATCH] firewall: Apply multicast rules to INPUT chain, too

Rules with multicast destinations should also be applied to
the INPUT chain so that multicast packets from RED can be
received as well.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/cfgroot/network-functions.pl | 17 +++++++++++++++++
 config/firewall/rules.pl            | 11 +++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/config/cfgroot/network-functions.pl b/config/cfgroot/network-functions.pl
index 5cbf8fa93f..0714852dbc 100644
--- a/config/cfgroot/network-functions.pl
+++ b/config/cfgroot/network-functions.pl
@@ -246,6 +246,17 @@ sub ip_address_in_network($$) {
 	return (($address_bin ge $network_bin) && ($address_bin le $broadcast_bin));
 }
 
+sub ip_address_is_multicast($) {
+	my $network = shift;
+
+	# Get the first IP address from the network
+	unless (&check_ip_address($network)) {
+		$network = &get_netaddress($network);
+	}
+
+	return &ip_address_in_network($network, "224.0.0.0/4");
+}
+
 sub setup_upstream_proxy() {
 	my %proxysettings = ();
 	&General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
@@ -326,6 +337,12 @@ sub testsuite() {
 	$result = &ip_address_in_network("10.0.1.4", "10.0.0.0/8");
 	assert($result);
 
+	$result = &ip_address_is_multicast("224.0.0.0");
+	assert($result);
+
+	$result = &ip_address_is_multicast("224.1.2.3/30");
+	assert($result);
+
 	return 0;
 }
 
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index daa95651bb..b92679d3da 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -389,13 +389,19 @@ sub buildrules {
 					# Add ratelimiting option
 					push(@options, @ratelimit_options);
 
+					# Check for multicast destination
+					my $is_multicast = 0;
+					if ($destination) {
+						$is_multicast = &Network::ip_address_is_multicast($destination);
+					}
+
 					my $firewall_is_in_source_subnet = 1;
 					if ($source) {
 						$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
 					}
 
 					my $firewall_is_in_destination_subnet = 1;
-					if ($destination) {
+					if ($destination && !$is_multicast) {
 						$firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination);
 					}
 
@@ -502,7 +508,8 @@ sub buildrules {
 						# If the firewall is part of the destination subnet and access to the destination network
 						# is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
 						# for the firewall, too.
-						if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
+						# Multicast packages will also always be received by the firewall.
+						if (($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) || $is_multicast) {
 							if ($LOG && !$NAT) {
 								run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
 							}
-- 
2.39.5