(usagi-users 02956) Re: [netfilter] problem with icmpv6 and connection tracking

[Fabio Massimo Di Nitto <fabbione@xxxxxxxxxxxx>]

On Wed, 19 May 2004, Yasuyuki Kozakai wrote:

> With your rule, almost ICMPv6 packets for DAD, Address Auto Configuration,
> and so on are dropped. Because the packets to multicast address are not
> tracked.
>
> I think these ICMPv6 packets should not be filtered.

Ok I got it working now :-)) sorry for the previous email but i had to
play a bit more around. Here is a working setup:

CMD=/usr/local/v6/sbin/ip6tables

$CMD -F INPUT
$CMD -P INPUT DROP
$CMD -A INPUT -j ACCEPT -d f000::/4
$CMD -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

icmpv6 is correctly tracked as counters will show and you were perfectly
right about multicast.

Thanks a lot for all your help!
Fabio

-- 
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.