proper ICMPv6 syntax for specific daddr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I can successfully enable ping for IPv6 using this rule:

nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept

I have one physical ethernet card which is assigned five IPv6 addresses.
What I want to do is enable it for only 2 of 5 IPv6 addresses, like so:

nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::5 ip6 nexthdr icmpv6 counter limit rate 5/second accept
nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::6 ip6 nexthdr icmpv6 counter limit rate 5/second accept

...but what happens is that the first IPv6 will work, but not the second. If I reverse the order, sometimes the second
rule still works but now the first doesn't.  I've tried using sets like so:

nft add rule ip6 filter input ip6 daddr @trusted ip6 nexthdr icmpv6 counter limit rate 5/second accept
nft add rule ip6 filter input ip6 daddr @admin ip6 nexthdr icmpv6 counter limit rate 5/second accept

... with the same result: the second rule is ignored. What am I doing wrong? Is there something about ICMP and multiple IP addresses

on one interface that I'm not aware of? How do I write multiple rules that each enable one daddr?



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux