Re: Problem with ipv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Le 09/10/2024 à 11:19, Carl Lei a écrit :
On Wed, 9 Oct 2024 10:46:34 +0200
Daniel <tech@xxxxxxxxxx> wrote:

Le 09/10/2024 à 10:11, Carl Lei a écrit :
On Wed, 9 Oct 2024 09:50:22 +0200
Daniel<tech@xxxxxxxxxx>  wrote:

Le 08/10/2024 à 22:28, Kevin P. Fleming a écrit :
On Tue, Oct 8, 2024, at 16:08, Martin Brampton wrote:
            chain output {
                    type filter hook output priority filter;
policy drop; ct state { established, related } accept
                    ip protocol icmp icmp type echo-request accept
                    ip protocol icmp icmp type echo-request ip
daddr 127.0.0.1 accept
                    icmpv6 type echo-request accept
                    ip protocol { tcp, udp } th dport 53 accept
                    tcp dport 123 accept
                    tcp dport { 80, 443 } accept
                    tcp dport { 25, 465, 587, 993, 995, 4190 }
accept }
What happens if you change this policy to 'accept', and make no
other changes?
Or simply add new in state

ct state { established, related, new } accept
IIRC many NDP packets have ct state = untracked, so you are
proposing to accept all TCP+UDP connections and still having broken
IPv6.
Well, from my understanding, policy accept does the same
Well, if you meant to keep policy=drop and to add ctstate=new ->
accept, it won't accept untracked NDP packets, so not going to work.

Yes. What I have

chain output {
                type filter hook output priority filter; policy drop;
                meta l4proto ipv6-icmp counter packets 601917 bytes 34178441 accept                 oif "eth0" ct state established,related,new counter packets 5373812 bytes 64917554996 accept
                oif "lo" accept
        }

and it does the job

[...]

--
Daniel ]




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux