On Tue, 30 Oct 2012, Gene Czarcinski wrote:
1. dhcpv6 solicit: from=fe80::client:546 to=ff02::1:2:547
2. dhcpv6 advertise: from=fe80::server:547 to=fe80::client:546
3. dhcpv6 request: from=fe80::client:546 to=ff02::1:2:547
4. dhcpv6 reply: from=fe80::server:547 to=fe80::client:546
I think the rules you want are these (we use the symbolic
names for the packet sub-type as it makes things clearer)
# /etc/sysconfig/ip6tables
# ...
-A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
-s $IP6SERVER -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
-j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
# ...
I do not know that you need to filter or attempt to direct
'router-solicitation' as your comments mentioned. We have not
had a 'real world' need to do so. We run a variation of these
rules at pmman
from: man 8 ip6tables
icmp6
This extension can be used if ʽ--protocol ipv6-icmpʼ or
ʽ--protocol icmpv6ʼ is specified. It provides the following
option:
[!] --icmpv6-type type[/code]|typename
This allows specification of the ICMPv6 type, which
can be a numeric ICMPv6 type, type and code, or one
of the ICMPv6 type names shown by the command
ip6tables -p ipv6-icmp -h
-- Russ herrold
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list