From e5b4d25451c47e0585ce866318e4e70837d62b94 Mon Sep 17 00:00:00 2001
From: Christof Schulze <christof.schulze@gmx.net>
Date: Sun, 6 Aug 2017 00:02:39 +0200
Subject: [PATCH] gluon-respondd: allow access to respondd from mesh-internal
 addresses

---
 .../luasrc/lib/gluon/upgrade/400-respondd-firewall   | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall b/package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall
index 757672cab..171eafca9 100755
--- a/package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall
+++ b/package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall
@@ -1,6 +1,7 @@
 #!/usr/bin/lua
 
 local uci = require('simple-uci').cursor()
+local site = require('gluon.site')
 
 uci:delete('firewall', 'wan_announced')
 
@@ -14,7 +15,7 @@ uci:section('firewall', 'rule', 'wan_respondd', {
 	target = 'ACCEPT',
 })
 
--- Restrict respondd queries to link-local addresses to prevent amplification attacks from outside
+-- Allow respondd-access on client_local
 uci:section('firewall', 'rule', 'client_respondd', {
 	name = 'client_respondd',
 	src = 'client_local',
@@ -33,4 +34,13 @@ uci:section('firewall', 'rule',  'mesh_respondd_ll', {
 	target = 'ACCEPT',
 })
 
+uci:section('firewall', 'rule',  'mesh_respondd_siteprefix', {
+	name = 'mesh_respondd_siteprefix',
+	src = 'mesh',
+	src_ip = site.prefix6(),
+	dest_port = '1001',
+	proto = 'udp',
+	target = 'ACCEPT',
+})
+
 uci:save('firewall')
-- 
GitLab