[OpenWrt-Devel] [PATCH] firewall3: Fix multicast ICMPv6 replies not being sent by default anymore.
Vittorio Gambaletta (VittGam)
openwrt at vittgam.net
Sun May 1 23:29:58 EDT 2016
Since drop_invalid has been turned on by default, ICMPv6 echo requests
to well-known multicast addresses, such as ff02::1, are not replied to
by the router anymore, because conntrack considers those outgoing reply
packets to be invalid.
Fix this by not having the INVALID rule in the OUTPUT chain match IPv6
packets destined to link-local addresses (fe80::/10).
Signed-off-by: Vittorio Gambaletta <openwrt at vittgam.net>
---
--- a/defaults.c
+++ b/defaults.c
@@ -222,6 +222,16 @@ fw3_print_default_head_rules(struct fw3_
if (defs->drop_invalid)
{
r = fw3_ipt_rule_new(handle);
+ if (i == 2 && handle->family == FW3_FAMILY_V6) {
+ struct fw3_address mcdst = {
+ .set = true,
+ .invert = true,
+ .family = FW3_FAMILY_V6,
+ .address.v6.s6_addr = { 0xfe, 0x80 },
+ .mask.v6.s6_addr = { 0xff, 0xc0 },
+ };
+ fw3_ipt_rule_src_dest(r, NULL, &mcdst);
+ }
fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
fw3_ipt_rule_target(r, "DROP");
fw3_ipt_rule_append(r, chains[i]);
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list