From: Antonio Ospite Date: Fri, 20 Apr 2018 13:55:16 +0000 (+0200) Subject: Fix matching ICMPv6 mld-listener-query packets X-Git-Url: https://git.ao2.it/config/nftables.git/commitdiff_plain/d684d1e527c3554ae88b01d215d3a07d7606cbad Fix matching ICMPv6 mld-listener-query packets Even though there is a rule to match mld-listener-query in a "nexhdr ipv6-icmp" packet, the packets still get rejected and the following message shows up in the logs: [INPUT]: ... SRC=fe80:0000:0000:0000:0000:0000:0000:0001 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=130 CODE=0 By looking at the packet dump it looks like the packet come after a Hop-by-Hop header: Internet Protocol Version 6, Src: fe80::1, Dst: ff02::1 0110 .... = Version: 6 ... Next Header: IPv6 Hop-by-Hop Option (0) Hop Limit: 1 Source: fe80::1 Destination: ff02::1 ... IPv6 Hop-by-Hop Option Next Header: ICMPv6 (58) ... Internet Control Message Protocol v6 Type: Multicast Listener Query (130) ... and so "ip6 nexthdr" does not really matches it. Use "hbh nexthdr" instead. --- diff --git a/nftables-workstation.nft b/nftables-workstation.nft index 3f1f446..fd227f5 100644 --- a/nftables-workstation.nft +++ b/nftables-workstation.nft @@ -75,7 +75,8 @@ table inet filter { } ip6 hoplimit 255 accept # Allow multicast listener discovery on link-local addresses. - ip6 nexthdr ipv6-icmp icmpv6 type { + # RFC2710 specifies that a Hop-by-Hop Options header is used. + hbh nexthdr ipv6-icmp icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-reduction