[OpenWrt-Devel] [PATCH v2] firewall3: Fix multicast ICMPv6 replies not being sent by default anymore.

Baptiste Jonglez baptiste at bitsofnetworks.org
Mon May 2 15:54:06 EDT 2016


On Mon, May 02, 2016 at 09:37:07PM +0200, Baptiste Jonglez wrote:
> On Mon, May 02, 2016 at 08:17:48PM +0200, Vittorio Gambaletta (VittGam) wrote:
> > Since drop_invalid has been turned on by default, ICMPv6 echo requests
> > to well-known multicast addresses, such as ff02::1, are not replied to
> > by the router anymore, because conntrack considers those outgoing reply
> > packets to be invalid.
> > 
> > Fix this by not having the INVALID rule in the OUTPUT chain match IPv6
> > packets destined to link-local addresses (fe80::/10).
> 
> I'm not sure I understand: the multicast ICMP packets you mention have a
> destination address of ff02::1, which is not in fe80::/10.  Did you intend
> to allow all of ff00::/8 as destination (which is probably much too
> permissive), or did I miss something?

I *did* miss something: this rule is added to the output path, not the
input path.  Sorry for the noise.

I wonder if it's the only legimitate kind of traffic that gets dropped by
the INVALID rule, though.

> > Signed-off-by: Vittorio Gambaletta <openwrt at vittgam.net>
> > ---
> > 
> > diff --git a/defaults.c b/defaults.c
> > index 3d210f9..ea905e0 100644
> > --- a/defaults.c
> > +++ b/defaults.c
> > @@ -180,6 +180,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
> >  		"FORWARD", "forwarding",
> >  	};
> >  
> > +	struct fw3_address mcdst = {
> > +		.set = true,
> > +		.invert = true,
> > +		.family = FW3_FAMILY_V6,
> > +		.address.v6.s6_addr = { 0xfe, 0x80 },
> > +		.mask.v6.s6_addr = { 0xff, 0xc0 },
> > +	};
> > +
> >  	switch (handle->table)
> >  	{
> >  	case FW3_TABLE_FILTER:
> > @@ -215,6 +223,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
> >  			if (defs->drop_invalid)
> >  			{
> >  				r = fw3_ipt_rule_new(handle);
> > +				if (i == 2 && handle->family == FW3_FAMILY_V6)
> > +					fw3_ipt_rule_src_dest(r, NULL, &mcdst);
> >  				fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
> >  				fw3_ipt_rule_target(r, "DROP");
> >  				fw3_ipt_rule_append(r, chains[i]);
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel at lists.openwrt.org
> > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20160502/b7aa8796/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list