[libvirt] dhcp6, radvd, ip6tables, etc. (update)
R P Herrold
herrold at owlriver.com
Tue Oct 30 22:45:15 UTC 2012
On Tue, 30 Oct 2012, Gene Czarcinski wrote:
>>> 1. dhcpv6 solicit: from=fe80::client:546 to=ff02::1:2:547
>>> 2. dhcpv6 advertise: from=fe80::server:547 to=fe80::client:546
>>> 3. dhcpv6 request: from=fe80::client:546 to=ff02::1:2:547
>>> 4. dhcpv6 reply: from=fe80::server:547 to=fe80::client:546
I think the rules you want are these (we use the symbolic
names for the packet sub-type as it makes things clearer)
# /etc/sysconfig/ip6tables
# ...
-A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
-s $IP6SERVER -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
-j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
# ...
I do not know that you need to filter or attempt to direct
'router-solicitation' as your comments mentioned. We have not
had a 'real world' need to do so. We run a variation of these
rules at pmman
from: man 8 ip6tables
icmp6
This extension can be used if ‘--protocol ipv6-icmp’ or
‘--protocol icmpv6’ is specified. It provides the following
option:
[!] --icmpv6-type type[/code]|typename
This allows specification of the ICMPv6 type, which
can be a numeric ICMPv6 type, type and code, or one
of the ICMPv6 type names shown by the command
ip6tables -p ipv6-icmp -h
-- Russ herrold
More information about the libvir-list
mailing list