main/nftables: don't use nexthdr to match icmpv6

https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers > Caution when using ip6 nexthdr, the value only refers to the next > header, i.e. ip6 nexthdr tcp will only match if the ipv6 packet does > not contain any extension headers.
2026-05-04 20:06:43 +02:00 · 2024-01-16 13:53:57 +01:00 · 2024-01-16 13:53:57 +01:00 · 00a6ab48b5
commit 00a6ab48b5
parent 4241e6256e
2 changed files with 5 additions and 5 deletions
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@ -3,7 +3,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=nftables
 pkgver=1.0.9
-pkgrel=0
+pkgrel=1
 pkgdesc="Netfilter tables userspace tools"
 url="https://netfilter.org/projects/nftables"
 arch="all"
@ -88,5 +88,5 @@ sha512sums="
 dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8  nftables-1.0.9.tar.xz
 5a298ea01df60b434791fea94306d5b14f7ce684329e4122cc78bb52d1c272fcc48b06eaae154fd082c05f7030792fe42e73814caf3c7be3c446bb265fe25642  nftables.confd
 93a4d3109e3b7d36bcd0901755e1ee4dba3b5555deddc5eecdee2ccbcce15c08f122bf8f1c879c3f696f6a5a13d283536a0ff5e1af82289c3263b6aeb9d116d0  nftables.initd
-2dfc81a204af6e9516f78df97603e320453679bd9d34e7e8376b110438bb4d406d571df5efcbb76a446cd4a456c8a497092933219286e41a67bbd1483b38af39  nftables.nft
+b524c124a11f870ae789d5ad05de8a49d365d6c2cb3cd94c21669c5ae0e453481c671a1700ee6518372b10c491b50c5d81ea59fa941092a9161d1b13be7a13b6  nftables.nft
 "
--- a/main/nftables/nftables.nft
+++ b/main/nftables/nftables.nft
@ -35,7 +35,7 @@ table inet filter {

 		# ICMPv6

-		ip6 nexthdr icmpv6 icmpv6 type {
+		icmpv6 type {
 			destination-unreachable,  # type 1
 			packet-too-big,  # type 2
 			time-exceeded,  # type 3
@ -45,7 +45,7 @@ table inet filter {
 		} accept \
 		comment "Accept basic IPv6 functionality"

-		ip6 nexthdr icmpv6 icmpv6 type {
+		icmpv6 type {
 			nd-router-solicit,  # type 133
 			nd-router-advert,  # type 134
 			nd-neighbor-solicit,  # type 135
@ -53,7 +53,7 @@ table inet filter {
 		} ip6 hoplimit 255 accept \
 		comment "Allow IPv6 SLAAC"

-		ip6 nexthdr icmpv6 icmpv6 type {
+		icmpv6 type {
 			mld-listener-query,  # type 130
 			mld-listener-report,  # type 131
 			mld-listener-reduction,  # type 132