FS#49789 - [nftables] seems oblivious to ICMPv6 type 143 messages
Attached to Project:
Arch Linux
Opened by the THC (-thc) - Tuesday, 21 June 2016, 06:45 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 23 June 2016, 21:09 GMT
Opened by the THC (-thc) - Tuesday, 21 June 2016, 06:45 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 23 June 2016, 21:09 GMT
|
Details
Description:
Whenever a new connection (Ethernet after Wakeup, VPN connect) is established the IPv6 stack of Arch Linux sends ICMPv6 messages (Version 2 Multicast Listener Report) like this: IN= OUT=eno1 SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 MARK=0xd4 Create a simple IPv4/IPv6 nftables ruleset. table inet filter { chain input { type filter hook input priority 0; ct state established,related accept iif lo accept ip6 nexthdr icmpv6 icmpv6 type { nd-redirect, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept counter log prefix "denied IN: " } chain output { type filter hook output priority 0; ct state established,related accept oif lo accept ct state new counter accept ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-solicit, nd-neighbor-advert } accept counter log prefix "denied OUT: " } } Explicitly allowing "mld-listener-report" (is this type 131?) in the outgoing ICMPv6 rule or replacing it with a "catch-all" rule ip6 nexthdr icmpv6 accept will have the same effect: The packets will be logged as "denied OUT" either way. Additional info: nftables 0.6-2 x86_64 |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Thursday, 23 June 2016, 21:09 GMT
Reason for closing: Upstream
Thursday, 23 June 2016, 21:09 GMT
Reason for closing: Upstream
Comment by
Sébastien Luttringer (seblu) -
Thursday, 23 June 2016, 21:08 GMT
This seems to be a report for upstream. Not seems to be related to
packaging.