On Thu, 3 Apr 2008, martin f krafft wrote: > also sprach Nicolas KOWALSKI <niko@xxxxxxxxxxxxxxxxx> [2008.04.03.1735 +0200]: > > IN=eth0 OUT= MAC=33:33:00:00:00:02:00:0f:1f:c9:4e:7d:86:dd > > SRC=fe80:0000:0000:0000:020f:1fff:fec9:4e7d > > DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 > > HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 > > Exactly. router-solicitation being matched by INVALID. ICMPv6 non-error types (i.e. above type 128) - the exception of echo-request (128) and node information query (139) - are not tracked yet, thus such packets are marked as INVALID. In order to handle ICMPv6 in the best way I'd suggest to read rfc4890 titled Recommendations for Filtering ICMPv6 Messages in Firewalls, which even comes with a sample ip6tables script. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
