Filtering MLD messages

Filtering MLD messages

[Marek Küthe]

[-- Attachment #1: Type: text/plain, Size: 1013 bytes --]

Hello,

I would like to filter MLD messages:
1. Only MLD listener queries and MLD2 listener reports should be
allowed.
2. The messages must have a hop limit of 1.
3. The messages must have a hop-by-hop extension header.
4. The messages must have the router alert option set in the hop-by-hop
extension header.
5. The source address is in the link-local range.

```
set icmp6_mld {
    type icmpv6_type . icmpv6_code;
    flags interval;
    elements = {
        mld-listener-query . 0,
        mld2-listener-report . 0
    };
}

[...]

icmpv6 type . icmpv6 code @icmp6_mld ip6 hoplimit 1 exthdr hbh exists ip6 saddr fe80::/10 counter accept;
```

I have managed to write 1-3 and 5, but I don't know how to filter
the Router Alert option. I have seen that there is `ip option ra`, but
it doesn't seem to work for IPv6. Does anyone know how to write such a
filter?

I would really appreciate some help!

Best regards,
Marek Küthe

-- 
Marek Küthe
m.k@mk16.de
er/ihm he/him

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Filtering MLD messages

[Sunny73Cr]

Hello Marek,

> I would like to filter MLD messages:

If the following lines in the listed files, and the neighbouring functions, also; appear to be incompatible: you may need to write some code before this can be done.

Check line 342 in 'payload.c':
https://git.netfilter.org/nftables/tree/src/payload.c

Check line 458 in 'netlink_delinearize.c': https://git.netfilter.org/nftables/tree/src/netlink_delinearize.c

In lieu of an NFQUEUE program; I suggest using raw payload expressions of the form `(ll|nh|ih)@ofs,len`; where 'ofs' and 'len' are integer values, and are in 'bits'.

> 5. The source address is in the link-local range.

An example of matching IPV6 source addresses using raw payload expressions is:
`
@nh,64,16 & 0xFE80 != 0
`

Regards,
Dylan

CONFIDENTIALITY NOTICE:
This email and its attachments are intended solely for the use of the intended addressee; and may contain confidential and/or privileged information. You are hereby notified that any unauthorized use of this email or its attachments is strictly prohibited. If you have received this email in error, please destroy instances of it, and any information that was derived directly from it. To be clear, the message and its headers (SMTP, IMAP, POP message, etc.) is 'this email', but network headers (Ethernet, Internet Protocol, Transmission Control Protocol, User Datagram Protocol, etc.) are not.

SIGNATURE NOTICE:
If we have not met, the below public key is not useful.

sunny_0xAD0EBA5C_public.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----
KEY REDACTED, WE HAVE NOT MET.
-----END PGP PUBLIC KEY BLOCK-----

Sent with Proton Mail secure email.