firewall: further tune ICMPv6 default rules according to RFC4890 (#9893)
SVN-Revision: 27979
This commit is contained in:
Jo-Philipp Wich
parent
3aa922d33c
commit
f1e7045d30
3 changed files with 18 additions and 2 deletions
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
PKG_NAME:=firewall
|
PKG_NAME:=firewall
|
||||||
|
|
||||||
PKG_VERSION:=2
|
PKG_VERSION:=2
|
||||||
PKG_RELEASE:=33
|
PKG_RELEASE:=34
|
||||||
|
|
||||||
include $(INCLUDE_DIR)/package.mk
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,22 @@ config rule
|
||||||
option target ACCEPT
|
option target ACCEPT
|
||||||
|
|
||||||
# Allow essential incoming IPv6 ICMP traffic
|
# Allow essential incoming IPv6 ICMP traffic
|
||||||
|
config rule
|
||||||
|
option src wan
|
||||||
|
option proto icmp
|
||||||
|
list icmp_type echo-request
|
||||||
|
list icmp_type destination-unreachable
|
||||||
|
list icmp_type packet-too-big
|
||||||
|
list icmp_type time-exceeded
|
||||||
|
list icmp_type bad-header
|
||||||
|
list icmp_type unknown-header-type
|
||||||
|
list icmp_type router-solicitation
|
||||||
|
list icmp_type neighbour-solicitation
|
||||||
|
option limit 1000/sec
|
||||||
|
option family ipv6
|
||||||
|
option target ACCEPT
|
||||||
|
|
||||||
|
# Allow essential forwarded IPv6 ICMP traffic
|
||||||
config rule
|
config rule
|
||||||
option src wan
|
option src wan
|
||||||
option dest *
|
option dest *
|
||||||
|
|
|
||||||
|
|
@ -102,7 +102,7 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
|
||||||
local p
|
local p
|
||||||
for p in ${proto:-tcp udp}; do
|
for p in ${proto:-tcp udp}; do
|
||||||
case "$p" in
|
case "$p" in
|
||||||
tcp|udp)
|
tcp|udp|6|17)
|
||||||
iptables -t nat -A nat_reflection_in \
|
iptables -t nat -A nat_reflection_in \
|
||||||
-s $lanip/$lanmk -d $exthost \
|
-s $lanip/$lanmk -d $exthost \
|
||||||
-p $p $extport \
|
-p $p $extport \
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue