From: Antonio Ospite Date: Fri, 20 Apr 2018 13:55:16 +0000 (+0200) Subject: Fix matching ICMPv6 mld-listener-query packets X-Git-Url: https://git.ao2.it/config/nftables.git/commitdiff_plain/d684d1e527c3554ae88b01d215d3a07d7606cbad?ds=inline;hp=d684d1e527c3554ae88b01d215d3a07d7606cbad Fix matching ICMPv6 mld-listener-query packets Even though there is a rule to match mld-listener-query in a "nexhdr ipv6-icmp" packet, the packets still get rejected and the following message shows up in the logs: [INPUT]: ... SRC=fe80:0000:0000:0000:0000:0000:0000:0001 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=130 CODE=0 By looking at the packet dump it looks like the packet come after a Hop-by-Hop header: Internet Protocol Version 6, Src: fe80::1, Dst: ff02::1 0110 .... = Version: 6 ... Next Header: IPv6 Hop-by-Hop Option (0) Hop Limit: 1 Source: fe80::1 Destination: ff02::1 ... IPv6 Hop-by-Hop Option Next Header: ICMPv6 (58) ... Internet Control Message Protocol v6 Type: Multicast Listener Query (130) ... and so "ip6 nexthdr" does not really matches it. Use "hbh nexthdr" instead. ---