0

I have a centos load balancer using piranha and direct routing. This uses arptables on the real servers to keep them from claiming the virtual ipv4 addresses. I would like to expand this setup to support ipv6 as well. So far, the only option I've found is to use the iptables solution instead of arptables with ip6tables and a TPROXY target, but I'm not sure that will work as well. Is there an arptables-like solution for neighbor discovery?

abatie
  • 93
  • 9

1 Answers1

1

ARP is a separate protocol from IPv4 and therefore needs its own filter tables. Neighbour discovery is implemented using plain IPv6 with ICMPv6 messages, so you can use ip6tables to filter them.

Sander Steffann
  • 7,572
  • 18
  • 29
  • That is a good point, however ip6tables doens't make the job of discriminating between the valid neighbor packets for the real address(es) and the virtual addresses that need to be filtered very easy, as I don't see a "target address" option. Using the string extension does work however: `ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m string --hex-string "|2607 f678 0000 0000 0000 0000 0018 0130|" --algo bm -j DROP` – abatie Aug 11 '17 at 23:06
  • Hmm, yeah. There should be better filters for that. Time for a feature request I guess... – Sander Steffann Aug 12 '17 at 09:00