[package] firewall: further tune ICMPv6 default rules according to RFC4890 (#9893)
authorjow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Sun, 14 Aug 2011 00:33:29 +0000 (00:33 +0000)
committerjow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Sun, 14 Aug 2011 00:33:29 +0000 (00:33 +0000)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@27979 3c298f89-4303-0410-b956-a3cf2f4a3e73

package/firewall/Makefile
package/firewall/files/firewall.config
package/firewall/files/reflection.hotplug

index cdb8dc6..b192ad3 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall
 
 PKG_VERSION:=2
-PKG_RELEASE:=33
+PKG_RELEASE:=34
 
 include $(INCLUDE_DIR)/package.mk
 
index b47823f..5a5dfd0 100644 (file)
@@ -44,6 +44,22 @@ config rule
        option target           ACCEPT
 
 # Allow essential incoming IPv6 ICMP traffic
+config rule
+       option src              wan
+       option proto    icmp
+       list icmp_type          echo-request
+       list icmp_type          destination-unreachable
+       list icmp_type          packet-too-big
+       list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
+       list icmp_type          router-solicitation
+       list icmp_type          neighbour-solicitation
+       option limit            1000/sec
+       option family           ipv6
+       option target           ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
 config rule                                   
        option src              wan
        option dest             *
index 15e3500..1feb210 100644 (file)
@@ -102,7 +102,7 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
                                local p
                                for p in ${proto:-tcp udp}; do
                                        case "$p" in
-                                               tcp|udp)
+                                               tcp|udp|6|17)
                                                        iptables -t nat -A nat_reflection_in \
                                                                -s $lanip/$lanmk -d $exthost \
                                                                -p $p $extport \
This page took 0.025257 seconds and 4 git commands to generate.