X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/1ee6211dcd0063197621004e6c7073bd801b8efe..429f4314d0d1be69f7500cf7f97671595804fdd0:/local.m4

diff --git a/local.m4 b/local.m4
index 0d67a97..4123a77 100644
--- a/local.m4
+++ b/local.m4
@@ -128,6 +128,13 @@ run iptables -A inbound -j ACCEPT \
 	-s 172.29.198.0/23 \
 	-p udp --source-port $port_bootpc --destination-port $port_bootps
 
+## Incoming broadcast multicast on a network interface associated with the
+## trusted network is OK, since it must have originated there (or been
+## forwarded, but we don't do that yet).
+run iptables -A inbound -j ACCEPT \
+	-s 0.0.0.0 -d 224.0.0.0/24 \
+	-i $if_trusted
+
 ## Allow incoming ping.  This is the only ICMP left.
 run ip46tables -A inbound -j ACCEPT -p icmp