Re: proper ICMPv6 syntax for specific daddr

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Tom <tom@foscore.com>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: proper ICMPv6 syntax for specific daddr
Date: Wed, 7 Sep 2022 16:58:37 +0200	[thread overview]
Message-ID: <20220907145837.GA20812@breakpoint.cc> (raw)
In-Reply-To: <dc512913-d28a-9224-ad5a-e68828975766@foscore.com>

Tom <tom@foscore.com> wrote:
> I can successfully enable ping for IPv6 using this rule:
> 
> nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept

This is not related to ping, this ratelimits ALL of icmpv6.

Please use 'icmpv6 type { echo-request, echo-reply}'.

> nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::5 ip6 nexthdr icmpv6 counter limit rate 5/second accept
> nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::6 ip6 nexthdr icmpv6 counter limit rate 5/second accept
> 
> ...but what happens is that the first IPv6 will work, but not the second. If I reverse the order, sometimes the second
> rule still works but now the first doesn't.  I've tried using sets like so:

icmpv6 is integral part of ipv6, the above will ratelimit neighbour
solicitations, pmtu updates and so on as well.

next prev parent reply	other threads:[~2022-09-07 14:58 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-07 14:10 proper ICMPv6 syntax for specific daddr Tom
2022-09-07 14:39 ` Pablo Neira Ayuso
2022-09-07 15:13   ` Tom
2022-09-07 14:58 ` Florian Westphal [this message]
2022-09-07 15:22   ` Tom
2022-09-07 15:25     ` Pablo Neira Ayuso
     [not found] <dea61421-4ce1-bb68-2a74-88b6f42c299e@foscore.com>
2022-09-07 15:57 ` Fwd: " Tom
2022-09-08  8:46   ` Reindl Harald
2022-09-08 13:31     ` Tom
2022-09-08 14:23       ` Reindl Harald

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220907145837.GA20812@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter@vger.kernel.org \
    --cc=tom@foscore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.