1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
chain allow_icmp_4 {
icmp type {
destination-unreachable, # 3, Destination Unreachable
time-exceeded, # 11, Time Exceeded
parameter-problem # 12, Parameter Problem
} accept
}
chain allow_icmp_6 {
icmpv6 type {
destination-unreachable, # 1, Destination Unreachable
packet-too-big, # 2, Packet Too Big
time-exceeded, # 3, Time Exceeded
parameter-problem, # 4, Parameter Problem
nd-router-solicit, # 133, Router Solicitation
nd-neighbor-solicit, # 135, Neighbor Solicitation
nd-neighbor-advert, # 136, Neighbor Advertisement
ind-neighbor-solicit, # 141, Inverse Neighbor Discovery Solicitation Message
ind-neighbor-advert # 142, Inverse Neighbor Discovery Advertisement Message
} accept
icmpv6 type . ip6 saddr {
nd-router-advert . fe80::/10, # 134, Router Advertisement
mld-listener-query . fe80::/10, # 130, Multicast Listener Query
mld-listener-report . fe80::/10, # 131, Multicast Listener Report
mld-listener-done . fe80::/10, # 132, Multicast Listener Done
149 . fe80::/10, # 149, Certification Path Advertisement Message
151 . fe80::/10, # 151, Multicast Router Advertisement
152 . fe80::/10, # 152, Multicast Router Solicitation
153 . fe80::/10, # 153, Multicast Router Termination
mld2-listener-report . fe80::/10, # 143, Version 2 Multicast Listener Report
mld2-listener-report . ::,
148 . fe80::/10, # 148, Certification Path Solicitation Message
148 . ::
} accept
}
chain smurfs_4 {
ip saddr 0.0.0.0 return
fib saddr type { broadcast, multicast } jump smurfs_drop
}
chain smurfs_6 {
fib saddr type multicast jump smurfs_drop
}
|
