Re: Problem with ipv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 9 Oct 2024 10:46:34 +0200
Daniel <tech@xxxxxxxxxx> wrote:

> 
> Le 09/10/2024 à 10:11, Carl Lei a écrit :
> > On Wed, 9 Oct 2024 09:50:22 +0200
> > Daniel<tech@xxxxxxxxxx>  wrote:
> >
> >> Le 08/10/2024 à 22:28, Kevin P. Fleming a écrit :
> >>> On Tue, Oct 8, 2024, at 16:08, Martin Brampton wrote:
> >>>>            chain output {
> >>>>                    type filter hook output priority filter;
> >>>> policy drop; ct state { established, related } accept
> >>>>                    ip protocol icmp icmp type echo-request accept
> >>>>                    ip protocol icmp icmp type echo-request ip
> >>>> daddr 127.0.0.1 accept
> >>>>                    icmpv6 type echo-request accept
> >>>>                    ip protocol { tcp, udp } th dport 53 accept
> >>>>                    tcp dport 123 accept
> >>>>                    tcp dport { 80, 443 } accept
> >>>>                    tcp dport { 25, 465, 587, 993, 995, 4190 }
> >>>> accept }
> >>> What happens if you change this policy to 'accept', and make no
> >>> other changes?
> >> Or simply add new in state
> >>
> >> ct state { established, related, new } accept
> > IIRC many NDP packets have ct state = untracked, so you are
> > proposing to accept all TCP+UDP connections and still having broken
> > IPv6.
> Well, from my understanding, policy accept does the same

Well, if you meant to keep policy=drop and to add ctstate=new ->
accept, it won't accept untracked NDP packets, so not going to work.

Also IIRC assigning NDP packets state=untracked may be a recent kernel
change, so results may vary between kernel versions.






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux