extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-23 14:48:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Exit the IPv6 AllowICMPs chain if packet isn't ipv6-icmp

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-12-01 14:50:17 -08:00
parent 138e64c54a
commit 4fc572f664
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Actions/action.AllowICMPs
View File

@ -12,8 +12,8 @@ DEFAULTS ACCEPT
@1 - - icmp fragmentation-needed {comment="Needed ICMP types"}
@1 - - icmp time-exceeded {comment="Needed ICMP types"}
?else
CONTINUE - - !ipv6-icmp
?COMMENT Needed ICMP types (RFC4890)
@1 - - ipv6-icmp destination-unreachable
@1 - - ipv6-icmp packet-too-big
@1 - - ipv6-icmp time-exceeded
@ -38,7 +38,7 @@ DEFAULTS ACCEPT
@1 - - ipv6-icmp 148 # Certificate path solicitation
@1 - - ipv6-icmp 149 # Certificate path advertisement
# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
@1 fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
@1 fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
@1 fe80::/10 - ipv6-icmp 153 # Multicast router termination