On Fri, May 01, 2015 at 08:33:03AM +0200, Jan Engelhardt wrote:
>
> On Friday 2015-05-01 04:56, Linus Lüssing wrote:
> >
> >According to RFC4890 ("Recommendations for Filtering ICMPv6
> >Messages in Firewalls"), page 35, a rule like this should match
> >MLD packets:
> >
> >$ ip6tables -A icmpv6-filter -p icmpv6 --icmpv6-type {130,131,132,143} ...
> >
> >However, this does not seem to work for me. My guess is that it
> >does not match because --protocol is not 'icmpv6' but actually
> >the hop-by-hop-option first.
> >Also, is there a way to somehow match IPv6 protocols with IPv6
> >options in between?
>
> -p matches the first non-extension header. For the
> exthdrs, there is e.g. -m hbh.
You're right, I had made a wrong assumption about ip6tables... It
wasn't ip6tables incapabilities but a bug in OpenWRT which set a
default ICMPv6 code of 255 instead of 0 when not specifying it
next to the ICMPv6 type in its config. Thanks for your help!
Awesome that ip6tables is that smart :).
Cheers, Linus
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
