From 5a66c1d9d65a9e39b31707bce9c954f785bd1060 Mon Sep 17 00:00:00 2001
From: Tuomo Soini <tis@foobar.fi>
Date: Tue, 19 Mar 2024 11:17:00 +0200
Subject: [PATCH] AllowICMPs: certificate path advertisment source must be
 fe80::/10

Signed-off-by: Tuomo Soini <tis@foobar.fi>
---
 Shorewall/Actions/action.AllowICMPs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Shorewall/Actions/action.AllowICMPs b/Shorewall/Actions/action.AllowICMPs
index 409f54733..8582a5268 100644
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -36,7 +36,7 @@ DEFAULTS ACCEPT
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
     @1	::		-	ipv6-icmp	148	# Certificate path solicitation
     @1	fe80::/10	-	ipv6-icmp	148	# Certificate path solicitation
-    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+    @1	fe80::/10	-	ipv6-icmp	149	# Certificate path advertisement
 
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement