Filtering MLD messages

public inbox for netfilter@vger.kernel.org
 help / color / mirror / Atom feed

* Filtering MLD messages
@ 2025-11-30 21:04 Marek Küthe
  2025-12-01  3:24 ` Sunny73Cr
  0 siblings, 1 reply; 2+ messages in thread
From: Marek Küthe @ 2025-11-30 21:04 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 1013 bytes --]

Hello,

I would like to filter MLD messages:
1. Only MLD listener queries and MLD2 listener reports should be
allowed.
2. The messages must have a hop limit of 1.
3. The messages must have a hop-by-hop extension header.
4. The messages must have the router alert option set in the hop-by-hop
extension header.
5. The source address is in the link-local range.

```
set icmp6_mld {
    type icmpv6_type . icmpv6_code;
    flags interval;
    elements = {
        mld-listener-query . 0,
        mld2-listener-report . 0
    };
}

[...]

icmpv6 type . icmpv6 code @icmp6_mld ip6 hoplimit 1 exthdr hbh exists ip6 saddr fe80::/10 counter accept;
```

I have managed to write 1-3 and 5, but I don't know how to filter
the Router Alert option. I have seen that there is `ip option ra`, but
it doesn't seem to work for IPv6. Does anyone know how to write such a
filter?

I would really appreciate some help!

Best regards,
Marek Küthe

-- 
Marek Küthe
m.k@mk16.de
er/ihm he/him

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Filtering MLD messages
  2025-11-30 21:04 Filtering MLD messages Marek Küthe
@ 2025-12-01  3:24 ` Sunny73Cr
  0 siblings, 0 replies; 2+ messages in thread
From: Sunny73Cr @ 2025-12-01  3:24 UTC (permalink / raw)
  To: Marek Küthe; +Cc: netfilter

Hello Marek,

> I would like to filter MLD messages:

If the following lines in the listed files, and the neighbouring functions, also; appear to be incompatible: you may need to write some code before this can be done.

Check line 342 in 'payload.c':
https://git.netfilter.org/nftables/tree/src/payload.c

Check line 458 in 'netlink_delinearize.c': https://git.netfilter.org/nftables/tree/src/netlink_delinearize.c

In lieu of an NFQUEUE program; I suggest using raw payload expressions of the form `(ll|nh|ih)@ofs,len`; where 'ofs' and 'len' are integer values, and are in 'bits'.

> 5. The source address is in the link-local range.

An example of matching IPV6 source addresses using raw payload expressions is:
`
@nh,64,16 & 0xFE80 != 0
`

Regards,
Dylan

CONFIDENTIALITY NOTICE:
This email and its attachments are intended solely for the use of the intended addressee; and may contain confidential and/or privileged information. You are hereby notified that any unauthorized use of this email or its attachments is strictly prohibited. If you have received this email in error, please destroy instances of it, and any information that was derived directly from it. To be clear, the message and its headers (SMTP, IMAP, POP message, etc.) is 'this email', but network headers (Ethernet, Internet Protocol, Transmission Control Protocol, User Datagram Protocol, etc.) are not.

SIGNATURE NOTICE:
If we have not met, the below public key is not useful.

sunny_0xAD0EBA5C_public.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----
KEY REDACTED, WE HAVE NOT MET.
-----END PGP PUBLIC KEY BLOCK-----

Sent with Proton Mail secure email.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-12-01  3:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-30 21:04 Filtering MLD messages Marek Küthe
2025-12-01  3:24 ` Sunny73Cr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox