From: Mark Wooding <mdw@distorted.org.uk>
Date: Sun, 11 Mar 2012 16:33:25 +0000 (+0000)
Subject: Extend proper ICMP handling to IPv6.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/8b021091932977b8bae420b7845369018e301451

Extend proper ICMP handling to IPv6.

Take the opportunity to use the `icmpv6' protocol name throughout.
Fortunately, in a few places where we use `ip46tables', it's actually
possible to use plain `-p icmp'.
---

diff --git a/icmp.m4 b/icmp.m4
index d3a7507..460c838 100644
--- a/icmp.m4
+++ b/icmp.m4
@@ -30,16 +30,27 @@ clearchain check-icmp
 ## Ping needs inspecting on a host-by-host basis.
 for type in echo-request echo-reply; do
   run iptables -A check-icmp -p icmp --icmp-type $type -j RETURN
+  run ip6tables -A check-icmp -p icmpv6 --icmpv6-type $type -j RETURN
 done
 
-## Certainly don't allow ping to broadcast addresses.
-run iptables -A check-icmp -g forbidden \
-	-p icmp --icmp-type echo-request \
-	-m addrtype --dst-type BROADCAST
+## Certainly don't allow ping to broadcast or multicast addresses.
+case $forward in
+  1)
+    run iptables -A FORWARD -g forbidden \
+	    -p icmp --icmp-type echo-request \
+	    -m addrtype --dst-type BROADCAST
+    run iptables -A FORWARD -g forbidden \
+	    -p icmp --icmp-type echo-request \
+	    -d 224.0.0.0/8
+    run ip6tables -A FORWARD -g forbidden \
+	    -p icmpv6 --icmpv6-type echo-request \
+	    -d ff00::/16
+    ;;
+esac
 
 m4_divert(58)m4_dnl
 ## Other ICMP is basically benign, we claim.
-run iptables -A check-icmp -j ACCEPT
+run ip46tables -A check-icmp -j ACCEPT
 
 ## Done.
 for i in $inchains; do run ip46tables -A $i -p icmp -j check-icmp; done
diff --git a/local.m4 b/local.m4
index d91b171..f373e3f 100644
--- a/local.m4
+++ b/local.m4
@@ -172,10 +172,10 @@ case $forward in
 	    -m mark --mark $from_untrusted/$MASK_FROM \
 	    -m state --state ESTABLISHED
     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	    -p ipv6-icmp --icmpv6-type echo-request \
+	    -p icmpv6 --icmpv6-type echo-request \
 	    -m mark --mark $to_untrusted/$MASK_TO
     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	    -p ipv6-icmp --icmpv6-type echo-reply \
+	    -p icmpv6 --icmpv6-type echo-reply \
 	    -m mark --mark $from_untrusted/$MASK_FROM \
 	    -m state --state ESTABLISHED