summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-11-08 15:10:05 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-11-15 18:33:37 +0100
commitef1764c0ec38f987087f8dc9727aa12c441720a0 (patch)
treec290566dbd130efce7c645e5f70e5c1464c8be9f
parent4db299d6e2a5953c59906d4f1cb6841da34beb7c (diff)
Firewall: ICMPv6: accept link-local multicast receiver notification messages.
-rwxr-xr-xroles/common/templates/etc/nftables.conf.j25
1 files changed, 4 insertions, 1 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 808383c..cc79671 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -64,7 +64,10 @@ table netdev filter {
# accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1
ip6 hoplimit 255 icmpv6 type { 133,134,135,136,141,142 } counter accept
- # reject all remaining ICMP/ICMPv6 traffic
+ # accept link-local multicast receiver notification messages
+ ip6 saddr fe80::/10 ip6 daddr ff02::/16 ip6 hoplimit 1 icmpv6 type { 130,131,132,143 } counter accept
+
+ # drop all remaining ICMP/ICMPv6 traffic
meta l4proto { icmp, icmpv6 } drop
# bogon filter (cf. RFC 6890 for non-global ip addresses)