On 10/30/2012 06:45 PM, R P Herrold wrote:
I think the rules you want are these (we use the symbolic names for the packet sub-type as it makes things clearer)
# /etc/sysconfig/ip6tables # ... -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -s $IP6SERVER -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement -j DROP -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited # ...
I do not know that you need to filter or attempt to direct 'router-solicitation' as your comments mentioned. We have not had a 'real world' need to do so. We run a variation of these rules at pmman
from: man 8 ip6tables
icmp6 This extension can be used if ‘--protocol ipv6-icmp’ or ‘--protocol icmpv6’ is specified. It provides the following option:
[!] --icmpv6-type type[/code]|typename This allows specification of the ICMPv6 type, which can be a numeric ICMPv6 type, type and code, or one of the ICMPv6 type names shown by the command ip6tables -p ipv6-icmp -h It is not icmp6 but dhcpv6 packets.
As I explained earlier in the thread, there is a little 4 packet dance which implements dhcpv6 addresses. Routing is handled by RA. The difference is that you much have the AdvManagedFlag on for dhcpv6 and off otherwise. There does not seem to be a problem with the RA packets getting through. But, for dhcpv6, you need port 547 packets (and specifically with a destination address of ff02::01:2) to get through to the dnsmasq process running on the virtualization host. To happen, this needs an additional ip6tables rule. While just specifying "--dport 547" seems to work, the "correct" appraach should also specify "--destination ff02::1:2" for "--in-interface <our interface>". This is what I have currently implemented and it seems to work well. Gene Gene