From de23e641f7c84307cd07d69ceb1ea5029a2c66c2 Mon Sep 17 00:00:00 2001
From: Tuomo Soini <tis@foobar.fi>
Date: Tue, 19 Mar 2024 11:15:37 +0200
Subject: [PATCH] AllowICMPs: certificate path solicitation source must be ::
 or fe80::/10

Signed-off-by: Tuomo Soini <tis@foobar.fi>
---
 Shorewall/Actions/action.AllowICMPs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Shorewall/Actions/action.AllowICMPs b/Shorewall/Actions/action.AllowICMPs
index 9ded6185b..409f54733 100644
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -34,7 +34,8 @@ DEFAULTS ACCEPT
     @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
 
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
-    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	::		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	fe80::/10	-	ipv6-icmp	148	# Certificate path solicitation
     @1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge