On Mon, 2010-08-30 at 15:18 +0200, Jozsef Kadlecsik wrote:
> The sample script in the RFC tries to handle both cases: kernel with and
> without IPv6 connection tracking (STATE_ENABLED shell variable).
I noticed that, but even the stateful part explicitly references the
actual icmpv6 type.
AFAIK, in IPv4 netfilter you would not need to do that as the ancillary
ICMP traffic caused by existing conntrack entries is matched by
ESTABLISHED, RELATED automatically.
Is this not the case for IPv6?
The code snippet in question:
if [ "$STATE_ENABLED" -eq "1" ]
then
# Allow incoming destination unreachable messages
# only for existing sessions
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -m state -p icmpv6 \
-d $inner_prefix \
--state ESTABLISHED,RELATED --icmpv6-type \
destination-unreachable -j ACCEPT
done
else
# Allow incoming destination unreachable messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type destination-unreachable -j ACCEPT
done
fi
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
