Skip to content
This repository was archived by the owner on Aug 5, 2022. It is now read-only.
This repository was archived by the owner on Aug 5, 2022. It is now read-only.

Nftables ruleset does not match valid MLD packets #338

Open
Open
Nftables ruleset does not match valid MLD packets#338
@ao2

Description

@ao2
ao2
opened on Nov 2, 2018

Hi,

from my experiments with nftables (https://ao2.it/134) it looks like the rule used in this project for MLD packets is not enough to match valid MLD packets, I am referring to:

intel-iot-refkit/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template

Line 62 in dc1390c

ip6 nexthdr icmpv6 icmpv6 type {{

The problem is that for valid MLD packets the next header after the IPv6 one is not immediately the ICMPv6 one but the Hop-by-Hop Options header, so the rule you are using:

        # Allow multicast listener discovery on link-local addresses.
        ip6 nexthdr icmpv6 icmpv6 type {{
                mld-listener-query,
                ...

Should probably become something like:

        # Allow multicast listener discovery on link-local addresses.
        ip6 nexthdr hopopt hbh nexthdr ipv6-icmp icmpv6 type {{
                mld-listener-query,
                ...

See also the referenced blog post for more details.

I only tested this in a limited environment so I'd like some confirmation that this is actually an issue.

Ciao,
Antonio

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions