Closed gaudenz closed 7 years ago
After thinking of this a bit more I changed the reject type from adm-prohibited to the default of icmp6-port-unreachable.
ICMPv6 destination unreachable code icmp6-adm-prohibited
"matches" ICMPv4 destination unreachable code icmp-host-prohibited
. According to RFC4443 [1] we should be using code 4 instead:
A destination node SHOULD originate a Destination Unreachable message with Code 4 in response to a packet for which the transport protocol (e.g., UDP) has no listener, if that transport protocol has no alternative means to inform the sender.
Code 4 is port unreachable
and IMHO the default code being used in an ip6tables REJECT statement.
Sorry, was a bit late with my remark. Thanks for changing the reject type!
Reject rules have let through other protocols than TCP or UDP for IPv6. These were already rejected for IPv4. This commit adds a similar rule for IPv6 which rejects with adm-prohibited.
Fixes #105.