* Add some more rules to allow ICMPv6 router/neighbour advertisements

in. Maybe we're better off accepting all ICMPv6 messages *except* echo requests. svn path=/nixos/trunk/; revision=26260
2011-03-10 16:25:08 +00:00 · 2011-03-10 16:25:08 +00:00 · 0ea9f6611a
commit 0ea9f6611a
parent 53bc6d3efa
1 changed files with 11 additions and 2 deletions
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@ -158,10 +158,19 @@ in
            # probably nobody is listening anyway.
            iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT

-            # Accept IPv6 ICMP packets on the local link.  Otherwise
-            # stuff like neighbor/router solicitation won't work.
+            # Accept IPv6 ICMP packets on the local link.
            ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
            ip6tables -A INPUT -d fe80::/10 -p icmpv6 -j ACCEPT
+            
+            # Accept neighbour solicitations from solicited-node
+            # addresses.  Otherwise other nodes cannot reach us at
+            # all.
+            ip6tables -A INPUT -d ff02::1:ff00:0/104 -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+
+            # Accept router and neighbour advertisements from
+            # anywhere.  Would be nice to be more specific.
+            ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
+            ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT

            # Optionally respond to pings.
            ${optionalString cfg.allowPing ''