RFC Errata
RFC 4890, "Recommendations for Filtering ICMPv6 Messages in Firewalls", May 2007
Source of RFC: v6ops (ops)See Also: RFC 4890 w/ inline errata
Errata ID: 2706
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Phil Whineray
Date Reported: 2011-02-06
Verifier Name: ron bonica
Date Verified: 2011-03-03
Section Appendix B. says:
if [ "$STATE_ENABLED" -eq "1" ]
then
# Allow incoming time exceeded code 0 messages
# only for existing sessions
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -m state -p icmpv6 \
-d $inner_prefix \
--state ESTABLISHED,RELATED --icmpv6-type packet-too-big \
-j ACCEPT
done
else
# Allow incoming time exceeded code 0 messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type ttl-zero-during-transit -j ACCEPT
done
fi
It should say:
if [ "$STATE_ENABLED" -eq "1" ]
then
# Allow incoming time exceeded code 0 messages
# only for existing sessions
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -m state -p icmpv6 \
-d $inner_prefix \
--state ESTABLISHED,RELATED --icmpv6-type ttl-zero-during-transmit \
-j ACCEPT
done
else
# Allow incoming time exceeded code 0 messages
for inner_prefix in $INNER_PREFIXES
do
ip6tables -A icmpv6-filter -p icmpv6 -d $inner_prefix \
--icmpv6-type ttl-zero-during-transit -j ACCEPT
done
fi
Notes:
Not sure if this is really editorial as it is in the example code, not the main RFC.
In any case, the example incorrectly specifies an icmpv6 type in one code path.