On Mon, May 02, 2016 at 09:37:07PM +0200, Baptiste Jonglez wrote: > On Mon, May 02, 2016 at 08:17:48PM +0200, Vittorio Gambaletta (VittGam) wrote: > > Since drop_invalid has been turned on by default, ICMPv6 echo requests > > to well-known multicast addresses, such as ff02::1, are not replied to > > by the router anymore, because conntrack considers those outgoing reply > > packets to be invalid. > > > > Fix this by not having the INVALID rule in the OUTPUT chain match IPv6 > > packets destined to link-local addresses (fe80::/10). > > I'm not sure I understand: the multicast ICMP packets you mention have a > destination address of ff02::1, which is not in fe80::/10. Did you intend > to allow all of ff00::/8 as destination (which is probably much too > permissive), or did I miss something?
I *did* miss something: this rule is added to the output path, not the input path. Sorry for the noise. I wonder if it's the only legimitate kind of traffic that gets dropped by the INVALID rule, though. > > Signed-off-by: Vittorio Gambaletta <open...@vittgam.net> > > --- > > > > diff --git a/defaults.c b/defaults.c > > index 3d210f9..ea905e0 100644 > > --- a/defaults.c > > +++ b/defaults.c > > @@ -180,6 +180,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle > > *handle, > > "FORWARD", "forwarding", > > }; > > > > + struct fw3_address mcdst = { > > + .set = true, > > + .invert = true, > > + .family = FW3_FAMILY_V6, > > + .address.v6.s6_addr = { 0xfe, 0x80 }, > > + .mask.v6.s6_addr = { 0xff, 0xc0 }, > > + }; > > + > > switch (handle->table) > > { > > case FW3_TABLE_FILTER: > > @@ -215,6 +223,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle > > *handle, > > if (defs->drop_invalid) > > { > > r = fw3_ipt_rule_new(handle); > > + if (i == 2 && handle->family == FW3_FAMILY_V6) > > + fw3_ipt_rule_src_dest(r, NULL, &mcdst); > > fw3_ipt_rule_extra(r, "-m conntrack --ctstate > > INVALID"); > > fw3_ipt_rule_target(r, "DROP"); > > fw3_ipt_rule_append(r, chains[i]); > > _______________________________________________ > > openwrt-devel mailing list > > openwrt-devel@lists.openwrt.org > > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel