Can I filter based on a ICMPv6 subtype?

Question

I'm trying to filter out specific ICMPv6 packets and I tried looking at all the possible types options by using the following command:

ip6tables -p icmpv6 -h

This yields the following types (note the nested ones):

Valid ICMPv6 Types:
destination-unreachable
   no-route
   communication-prohibited
   address-unreachable
   port-unreachable
packet-too-big
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   bad-header
   unknown-header-type
   unknown-option
echo-request (ping)
echo-reply (pong)
router-solicitation
router-advertisement
neighbour-solicitation (neighbor-solicitation)
neighbour-advertisement (neighbor-advertisement)
redirect

Can the nested types be specifically targeted?

Is this the correct syntax to, say, DROP outgoing no-route destination unreachable packets?

ip6tables -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable no-route -j DROP

That should work. And it will definitely break the Internet for you. — Michael Hampton, Oct 01 '18 at 16:12

score 2 · Accepted Answer · answered Oct 01 '18 at 15:51

2

Just match the no-route type directly:

ip6tables -A OUTPUT -p icmpv6 --icmpv6-type no-route -j DROP

If you wanted to drop all destination-unreachable types, you would use:

ip6tables -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j DROP

answered Oct 01 '18 at 15:51

bodgit

4,661
13
26

Can I filter based on a ICMPv6 subtype?

1 Answers1