igmpproxy: drop SSDP packets

It is insecure to let this type of packets inside
They can e.g. open ports on some other routers with UPnP, etc

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>

diff --git a/package/network/services/igmpproxy/Makefile b/package/network/services/igmpproxy/Makefile
index d06402a267d989024dc9f66afcdcacbf25adaeea..488de6630d2e8a938d715494aaaa1f07c855da56 100644 (file)
--- a/package/network/services/igmpproxy/Makefile
+++ b/package/network/services/igmpproxy/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=igmpproxy
 PKG_VERSION:=0.2.1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/pali/igmpproxy/releases/download/${PKG_VERSION}/

diff --git a/package/network/services/igmpproxy/files/igmpproxy.init b/package/network/services/igmpproxy/files/igmpproxy.init
index 37fe62ad1b011318d110f5933cb13392b1976156..c4af43068145de4121e3ae98184e5c191ee00b3b 100644 (file)
--- a/package/network/services/igmpproxy/files/igmpproxy.init
+++ b/package/network/services/igmpproxy/files/igmpproxy.init
@@ -68,6 +68,18 @@ igmp_add_firewall_routing() {
 
        [[ "$direction" = "downstream" && ! -z "$zone" ]] || return 0
 
+# First drop SSDP packets then accept all other multicast
+
+       json_add_object ""
+       json_add_string type rule
+       json_add_string src "$upstream"
+       json_add_string dest "$zone"
+       json_add_string family ipv4
+       json_add_string proto udp
+       json_add_string dest_ip "239.255.255.250"
+       json_add_string target DROP
+       json_close_object
+
        json_add_object ""
        json_add_string type rule
        json_add_string src "$upstream"