Explain that ICMPv6 ND/RD packets are untracked

2024-06-28 18:02:33 +00:00 · 2014-07-27 11:23:42 +01:00 · 2014-07-27 11:23:42 +01:00 · edd7dace10
commit edd7dace10
parent b9d3663767
2 changed files with 12 additions and 5 deletions
--- a/doc/firehol/firehol-variables.5.md
+++ b/doc/firehol/firehol-variables.5.md
@ -229,11 +229,16 @@ FIREHOL\_DROP\_INVALID
 :   If set to 1, this variable causes FireHOL to drop all packets
    matched as `INVALID` in the iptables(8) connection tracker.

+    You may be better off using
+    [firehol-protection(5)][keyword-firehol-protection] to control
+    matching of `INVALID` packets and others on a per-interface
+    and per-router basis.
+
    > **Note**
    >
-    > You can use [firehol-protection(5)][keyword-firehol-protection] to
-    > control matching of `INVALID` packets and others on a per-interface
-    > and per-router basis.
+    > Care must be taken on IPv6 interfaces, since ICMPv6 packets such
+    > as Neighbour Discovery are not tracked, meaning they are marked
+    > as INVALID.

    Example:

--- a/sbin/firehol.in
+++ b/sbin/firehol.in
@ -7437,8 +7437,10 @@ All the others are simple single socket services.

 Please note that the service:
 	
-	all	matches all packets, all protocols, all of everything,
-		while ensuring that required kernel modules are loaded.
+	all	matches all packets and all protocols, while ensuring that
+		required kernel modules are loaded. Packets "untracked" by
+		iptables (e.g. ICMPv6 neighbour discovery packets) are not
+		included in "all" and must be handled separately.
 	
 	any	allows the matching of packets with unusual rules, like
 		only protocol but no ports. If service any is used