From 00a6ab48b5109506c505191815d3c2b32bbedf9a Mon Sep 17 00:00:00 2001 From: Jakub Jirutka Date: Tue, 16 Jan 2024 13:53:57 +0100 Subject: [PATCH] main/nftables: don't use nexthdr to match icmpv6 https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers > Caution when using ip6 nexthdr, the value only refers to the next > header, i.e. ip6 nexthdr tcp will only match if the ipv6 packet does > not contain any extension headers. --- main/nftables/APKBUILD | 4 ++-- main/nftables/nftables.nft | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD index fad8af11f54..701b9638175 100644 --- a/main/nftables/APKBUILD +++ b/main/nftables/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Francesco Colista pkgname=nftables pkgver=1.0.9 -pkgrel=0 +pkgrel=1 pkgdesc="Netfilter tables userspace tools" url="https://netfilter.org/projects/nftables" arch="all" @@ -88,5 +88,5 @@ sha512sums=" dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8 nftables-1.0.9.tar.xz 5a298ea01df60b434791fea94306d5b14f7ce684329e4122cc78bb52d1c272fcc48b06eaae154fd082c05f7030792fe42e73814caf3c7be3c446bb265fe25642 nftables.confd 93a4d3109e3b7d36bcd0901755e1ee4dba3b5555deddc5eecdee2ccbcce15c08f122bf8f1c879c3f696f6a5a13d283536a0ff5e1af82289c3263b6aeb9d116d0 nftables.initd -2dfc81a204af6e9516f78df97603e320453679bd9d34e7e8376b110438bb4d406d571df5efcbb76a446cd4a456c8a497092933219286e41a67bbd1483b38af39 nftables.nft +b524c124a11f870ae789d5ad05de8a49d365d6c2cb3cd94c21669c5ae0e453481c671a1700ee6518372b10c491b50c5d81ea59fa941092a9161d1b13be7a13b6 nftables.nft " diff --git a/main/nftables/nftables.nft b/main/nftables/nftables.nft index c75dff0b743..391e800eae9 100644 --- a/main/nftables/nftables.nft +++ b/main/nftables/nftables.nft @@ -35,7 +35,7 @@ table inet filter { # ICMPv6 - ip6 nexthdr icmpv6 icmpv6 type { + icmpv6 type { destination-unreachable, # type 1 packet-too-big, # type 2 time-exceeded, # type 3 @@ -45,7 +45,7 @@ table inet filter { } accept \ comment "Accept basic IPv6 functionality" - ip6 nexthdr icmpv6 icmpv6 type { + icmpv6 type { nd-router-solicit, # type 133 nd-router-advert, # type 134 nd-neighbor-solicit, # type 135 @@ -53,7 +53,7 @@ table inet filter { } ip6 hoplimit 255 accept \ comment "Allow IPv6 SLAAC" - ip6 nexthdr icmpv6 icmpv6 type { + icmpv6 type { mld-listener-query, # type 130 mld-listener-report, # type 131 mld-listener-reduction, # type 132