Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[7531] branches/1.0/package/arnofw/ arnofw-icmpv6-add-MLD-cleanup-logging.patch
|
From: <abe...@us...> - 2016-02-13 22:58:23
|
Revision: 7531
http://sourceforge.net/p/astlinux/code/7531
Author: abelbeck
Date: 2016-02-13 22:58:22 +0000 (Sat, 13 Feb 2016)
Log Message:
-----------
arnofw, added support for ICMPv6 Multicast Listener Discovery, eliminate annoying ICMPv6 logging, Thanks David Kerr
Ref: https://github.com/arno-iptables-firewall/aif/commit/7bd64927a401050769b7da18fd2ae52370cc2390
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch
Added: branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch 2016-02-13 22:58:22 UTC (rev 7531)
@@ -0,0 +1,75 @@
+From 7bd64927a401050769b7da18fd2ae52370cc2390 Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lo...@ab...>
+Date: Sat, 13 Feb 2016 16:16:16 -0600
+Subject: [PATCH] changed: added support for ICMPv6 Multicast Listener
+ Discovery, disabled by default with OPEN_ICMPV6_MLD=0. Additionally make sure
+ all un-needed ICMPv6 packets are dropped so they don't appear as annoying
+ logs, more common with native IPv6 support by ISP's. Thanks to David Kerr for
+ pointing out the issue and testing a solution.
+
+---
+ bin/arno-iptables-firewall | 10 ++++++++++
+ etc/arno-iptables-firewall/firewall.conf | 6 ++++++
+ share/arno-iptables-firewall/environment | 4 ++++
+ 3 files changed, 20 insertions(+)
+
+diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
+index f5095a5..b02a85f 100755
+--- a/bin/arno-iptables-firewall
++++ b/bin/arno-iptables-firewall
+@@ -4574,6 +4574,11 @@ setup_firewall_rules()
+ for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
+ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
+ done
++ if [ "$OPEN_ICMPV6_MLD" = "1" ]; then
++ for icmpv6_type in $ICMPV6_MLD_TYPES; do
++ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
++ done
++ fi
+ fi
+
+ # Apply external (internet) interface policy for the input chain:
+@@ -4592,6 +4597,11 @@ setup_firewall_rules()
+
+ # ICMP traffic (flood)
+ iptables -A INPUT -i $interface -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
++
++ # Drop any remaining ICMPv6 traffic
++ if [ "$IPV6_SUPPORT" = "1" ]; then
++ ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN
++ fi
+ done
+
+
+diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
+index 9e80e20..2291916 100644
+--- a/etc/arno-iptables-firewall/firewall.conf
++++ b/etc/arno-iptables-firewall/firewall.conf
+@@ -1158,6 +1158,12 @@ OPEN_ICMP=0
+ # -----------------------------------------------------------------------------
+ OPEN_ICMPV6=1
+
++# Enable (1) to make the default policy allow IPv6 ICMPv6
++# Multicast Listener Discovery (RFC 2710, 3810) for INET access
++# Note: Requires setting OPEN_ICMPV6=1 to apply.
++# -----------------------------------------------------------------------------
++OPEN_ICMPV6_MLD=0
++
+ # Put in the following variables which ports or IP protocols you want to leave
+ # open to the whole world.
+ # -----------------------------------------------------------------------------
+diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
+index 5728e4c..616c29c 100644
+--- a/share/arno-iptables-firewall/environment
++++ b/share/arno-iptables-firewall/environment
+@@ -1698,6 +1698,10 @@ fi
+ ######################################################################
+ ICMPV6_SPECIAL_TYPES="133 134 135 136"
+
++# IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810)
++######################################################################
++ICMPV6_MLD_TYPES="130 131 132 143"
++
+ # Check plugin bin path and fallback in case it's empty
+ #######################################################
+ if [ -z "$PLUGIN_BIN_PATH" ]; then
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
