From 16afd880b27b17dedad7e079d29bb48c9be409e2 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 11 Apr 2016 11:16:46 -0700
Subject: [PATCH] Reverse the order of ICMP and Broadcast checking in the
 default actions

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/action.Drop   | 3 +++
 Shorewall/action.Reject | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop
index 86eee6d2e..5e3e81654 100644
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -53,6 +53,9 @@ Auth(@2)
 #
 # ACCEPT critical ICMP types
 #
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
 AllowICMPs(@4)	-	-	icmp
 #
 # Don't log broadcasts
diff --git a/Shorewall/action.Reject b/Shorewall/action.Reject
index 47873cccd..48eda55ef 100644
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -52,6 +52,9 @@ Auth(@2)
 #
 # ACCEPT critical ICMP types
 #
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log