[OpenWrt-Devel] [PATCH v2] firewall3: Fix multicast ICMPv6 replies not being sent by default anymore.
Vittorio Gambaletta (VittGam)
openwrt at vittgam.net
Mon May 2 14:17:48 EDT 2016
Since drop_invalid has been turned on by default, ICMPv6 echo requests
to well-known multicast addresses, such as ff02::1, are not replied to
by the router anymore, because conntrack considers those outgoing reply
packets to be invalid.
Fix this by not having the INVALID rule in the OUTPUT chain match IPv6
packets destined to link-local addresses (fe80::/10).
Signed-off-by: Vittorio Gambaletta <openwrt at vittgam.net>
---
diff --git a/defaults.c b/defaults.c
index 3d210f9..ea905e0 100644
--- a/defaults.c
+++ b/defaults.c
@@ -180,6 +180,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
"FORWARD", "forwarding",
};
+ struct fw3_address mcdst = {
+ .set = true,
+ .invert = true,
+ .family = FW3_FAMILY_V6,
+ .address.v6.s6_addr = { 0xfe, 0x80 },
+ .mask.v6.s6_addr = { 0xff, 0xc0 },
+ };
+
switch (handle->table)
{
case FW3_TABLE_FILTER:
@@ -215,6 +223,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
if (defs->drop_invalid)
{
r = fw3_ipt_rule_new(handle);
+ if (i == 2 && handle->family == FW3_FAMILY_V6)
+ fw3_ipt_rule_src_dest(r, NULL, &mcdst);
fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
fw3_ipt_rule_target(r, "DROP");
fw3_ipt_rule_append(r, chains[i]);
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list