From 0ea9f6611ab6024a03e44b0b3e61e06d6fb30e5c Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 10 Mar 2011 16:25:08 +0000
Subject: [PATCH] * Add some more rules to allow ICMPv6 router/neighbour
 advertisements   in.  Maybe we're better off accepting all ICMPv6 messages
 *except*   echo requests.

svn path=/nixos/trunk/; revision=26260
---
 modules/services/networking/firewall.nix | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index 30ba36e27d0..44cb401c273 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -158,10 +158,19 @@ in
             # probably nobody is listening anyway.
             iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
 
-            # Accept IPv6 ICMP packets on the local link.  Otherwise
-            # stuff like neighbor/router solicitation won't work.
+            # Accept IPv6 ICMP packets on the local link.
             ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
             ip6tables -A INPUT -d fe80::/10 -p icmpv6 -j ACCEPT
+            
+            # Accept neighbour solicitations from solicited-node
+            # addresses.  Otherwise other nodes cannot reach us at
+            # all.
+            ip6tables -A INPUT -d ff02::1:ff00:0/104 -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+
+            # Accept router and neighbour advertisements from
+            # anywhere.  Would be nice to be more specific.
+            ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
+            ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
             # Optionally respond to pings.
             ${optionalString cfg.allowPing ''