Re: [Audit-test-developer] [PATCH 05/19] netfilebt: allow IPv6 ND through ebtables

[Jiri J. <jja...@re...>]

On 08/27/2013 07:50 PM, Linda Knippers wrote:
> Not my area but I trust you. :-)
> 
> -- ljk
> 

I believe that this part of README.netfilter was originally made up
to work around the fact that no ARP/ND packets could get through:

  Setting the aging timer to a high value is helpful to the testing as
  it prevents the learned mac addresses in the bridge's forwarding
  database from being deleted when it hasn't seen a frame from that mac
  address in the timer number of seconds.  The following command is
  recommended.

    # brctl setageing <bridge name> 3600

This workaround shouldn't be needed anymore as basic link discovery
now works.

To my best knowledge, these rules shouldn't interfere with anything,
since they're mandatory for vast majority of traffic to work.
They would present a problem only when doing something like static
ARP/neighbor assignment testing (and checking that no requests
are being sent).

>>  
>>  ebtables -A INPUT -p arp -j ACCEPT
>> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT
>> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT
>>  

Jiri