Hi Vittorio, On Mon, May 02, 2016 at 08:17:48PM +0200, Vittorio Gambaletta (VittGam) wrote: > Since drop_invalid has been turned on by default, ICMPv6 echo requests > to well-known multicast addresses, such as ff02::1, are not replied to > by the router anymore, because conntrack considers those outgoing reply > packets to be invalid. > > Fix this by not having the INVALID rule in the OUTPUT chain match IPv6 > packets destined to link-local addresses (fe80::/10).
I'm not sure I understand: the multicast ICMP packets you mention have a
destination address of ff02::1, which is not in fe80::/10. Did you intend
to allow all of ff00::/8 as destination (which is probably much too
permissive), or did I miss something?
Baptiste
> Signed-off-by: Vittorio Gambaletta <open...@vittgam.net>
> ---
>
> diff --git a/defaults.c b/defaults.c
> index 3d210f9..ea905e0 100644
> --- a/defaults.c
> +++ b/defaults.c
> @@ -180,6 +180,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle
> *handle,
> "FORWARD", "forwarding",
> };
>
> + struct fw3_address mcdst = {
> + .set = true,
> + .invert = true,
> + .family = FW3_FAMILY_V6,
> + .address.v6.s6_addr = { 0xfe, 0x80 },
> + .mask.v6.s6_addr = { 0xff, 0xc0 },
> + };
> +
> switch (handle->table)
> {
> case FW3_TABLE_FILTER:
> @@ -215,6 +223,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle
> *handle,
> if (defs->drop_invalid)
> {
> r = fw3_ipt_rule_new(handle);
> + if (i == 2 && handle->family == FW3_FAMILY_V6)
> + fw3_ipt_rule_src_dest(r, NULL, &mcdst);
> fw3_ipt_rule_extra(r, "-m conntrack --ctstate
> INVALID");
> fw3_ipt_rule_target(r, "DROP");
> fw3_ipt_rule_append(r, chains[i]);
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
