What's new

Firewall: Drop IPv6 neighbour solicitation broadcasts

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dave14305

Part of the Furniture
Today I switched back over to Merlin 384.13 to test some things and was reviewing my restored settings and saw that on Tools / Other Settings I had once enabled "Firewall: Drop IPv6 neighbour solicitation broadcasts (default: No)" since I am on Comcast/Xfinity. I believe I once saw a bunch of IPv6 traffic in tcpdump on the WAN interface, so decided to try this.

To get to the point, I went looking to see what this setting does, and expected to find an ip6tables rule in the mangle table, but found nothing.
Code:
# ip6tables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
The nvram setting ipv6_ns_drop is correctly set to 1. Does this feature work for anyone else? I'm on an AC68U. IPv6 is disabled on the router, but the IPv6 firewall is enabled. I don't see that the code discriminates too much on this setting, but can't figure out why there's no rule, unless it's getting flushed out later in the firewall start.
 
My best guess at what is happening...

ipv6_ns_drop is in mangle_setting() and ipv6_neighsol_drop is in mangle_setting2().

Both of these are processed just before the following piece of code which effectively wipes them out when IPv6 is disabled.

https://github.com/RMerl/asuswrt-me...29fa6f/release/src/router/rc/firewall.c#L6186
Code:
#ifdef RTCONFIG_IPV6
    if (!ipv6_enabled())
    {
        eval("ip6tables", "-F");
        eval("ip6tables", "-t", "mangle", "-F");
    }
#endif
 
My best guess at what is happening...

ipv6_ns_drop is in mangle_setting() and ipv6_neighsol_drop is in mangle_setting2().

Both of these are processed just before the following piece of code which effectively wipes them out when IPv6 is disabled.

https://github.com/RMerl/asuswrt-me...29fa6f/release/src/router/rc/firewall.c#L6186
Code:
#ifdef RTCONFIG_IPV6
    if (!ipv6_enabled())
    {
        eval("ip6tables", "-F");
        eval("ip6tables", "-t", "mangle", "-F");
    }
#endif
This morning I experimented with enabling IPv6 and I still didn’t see the rule created. So probably some firewall voodoo at work.
 
This morning I experimented with enabling IPv6 and I still didn’t see the rule created. So probably some firewall voodoo at work.
I think it only remains active if needed , I noticed my connection for ipv6 has alot less dropped packets when the setting is on due to the solicitation being blocked.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top