On Mon, Feb 03, 2020 at 12:33:14PM +0000, kfm@xxxxxxxxxxxxx wrote:
> On 03/02/2020 12:15, Duncan Roe wrote:
> > On Mon, Feb 03, 2020 at 10:56:03PM +1100, Duncan Roe wrote:
> > > On Mon, Feb 03, 2020 at 10:56:24AM +0000, ????????????? wrote:
[...]
> >
> > Simpler solution: rename table ip6 filter chain input (to input2, say), then
> > move that chain into table inet filter.
> >
> > Insert the rule "icmpv6 jump input2" into chain input somewhere before the log
> > rule.
>
> Apparently, we are thinking along the same lines but that's not a valid
> icmpv6 header expression. A rule such as "meta l4proto ipv6-icmp jump
> input2" should do the trick.
>
> --
> Kerin Millar
>
Yes indeed Kerin, I noticed that on checking the man page after I'd posted.
Was about to post something but then answered the OP's new question instead.
I now think it would be more efficient to replace the whole chain with 1 rule
> icmpv6 type { packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-advert, nd-redirect, 149, 151, 153 } meta nftrace set 1 accept
Cheers ... Duncan.
