summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Antonio Ospite [Fri, 27 Apr 2018 08:50:54 +0000 (10:50 +0200)]
Add a Makefile to make it easier to deploy the configuration
Antonio Ospite [Thu, 26 Apr 2018 21:09:15 +0000 (23:09 +0200)]
nftables-workstation.nft: mention the IPv6 Neighbor Discovery RFC
Antonio Ospite [Thu, 26 Apr 2018 15:40:34 +0000 (17:40 +0200)]
nftables-workstation.nft: perform stateful filtering after the static rules
Antonio Ospite [Thu, 26 Apr 2018 13:00:09 +0000 (15:00 +0200)]
nftables-workstation.nft: set default policy to drop
Antonio Ospite [Thu, 26 Apr 2018 12:56:40 +0000 (14:56 +0200)]
nftables-workstation.nft: remove unneeded semicolons
Antonio Ospite [Fri, 20 Apr 2018 13:55:16 +0000 (15:55 +0200)]
Fix matching ICMPv6 mld-listener-query packets
Even though there is a rule to match mld-listener-query in a "nexhdr
ipv6-icmp" packet, the packets still get rejected and the following
message shows up in the logs:
[INPUT]: ... SRC=fe80:0000:0000:0000:0000:0000:0000:0001
DST=ff02:0000:0000:0000:0000:0000:0000:0001
LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0
PROTO=ICMPv6 TYPE=130 CODE=0
By looking at the packet dump it looks like the packet come after
a Hop-by-Hop header:
Internet Protocol Version 6, Src: fe80::1, Dst: ff02::1
0110 .... = Version: 6
...
Next Header: IPv6 Hop-by-Hop Option (0)
Hop Limit: 1
Source: fe80::1
Destination: ff02::1
...
IPv6 Hop-by-Hop Option
Next Header: ICMPv6 (58)
...
Internet Control Message Protocol v6
Type: Multicast Listener Query (130)
...
and so "ip6 nexthdr" does not really matches it.
Use "hbh nexthdr" instead.
Antonio Ospite [Fri, 20 Apr 2018 08:47:56 +0000 (10:47 +0200)]
Initial import
projects / config / nftables.git / log