Fix matching ICMPv6 mld-listener-query packets

Even though there is a rule to match mld-listener-query in a "nexhdr
ipv6-icmp" packet, the packets still get rejected and the following
message shows up in the logs:

  [INPUT]: ... SRC=fe80:0000:0000:0000:0000:0000:0000:0001
               DST=ff02:0000:0000:0000:0000:0000:0000:0001
               LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0
               PROTO=ICMPv6 TYPE=130 CODE=0

By looking at the  packet dump it looks like the packet come after
a Hop-by-Hop header:

  Internet Protocol Version 6, Src: fe80::1, Dst: ff02::1
      0110 .... = Version: 6
      ...
      Next Header: IPv6 Hop-by-Hop Option (0)
      Hop Limit: 1
      Source: fe80::1
      Destination: ff02::1
      ...
      IPv6 Hop-by-Hop Option
          Next Header: ICMPv6 (58)
          ...
  Internet Control Message Protocol v6
      Type: Multicast Listener Query (130)
      ...

and so "ip6 nexthdr" does not really matches it.

Use "hbh nexthdr" instead.

diff --git a/nftables-workstation.nft b/nftables-workstation.nft
index 3f1f446..fd227f5 100644 (file)
--- a/nftables-workstation.nft
+++ b/nftables-workstation.nft
@@ -75,7 +75,8 @@ table inet filter {
         } ip6 hoplimit 255 accept
 
         # Allow multicast listener discovery on link-local addresses.
-        ip6 nexthdr ipv6-icmp icmpv6 type {
+        # RFC2710 specifies that a Hop-by-Hop Options header is used.
+        hbh nexthdr ipv6-icmp icmpv6 type {
             mld-listener-query,
             mld-listener-report,
             mld-listener-reduction