使用ip6tables可以生成以下icmp错误代码(根据手册页):
--reject-with type
The type given can be icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, icmp6-port-unreachable or port-unreach which return the appropriate ICMPv6 error message (port-unreach is the default).
例子:
[root@outside-pc ~]# ip6tables -A INPUT -s 2001::/64 -p ICMPv6 -j REJECT --icmpv6-type destination-unreachable
[root@outside-pc ~]# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 2001::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j REJECT --reject-with icmp6-port-unreachable
是否可以使用ip6tables生成其他错误代码,如“packet too big”(类型2,代码0)?
最佳答案
很不幸,你的问题的简单答案似乎是“不”。您可以看到内核代码实现了REJECT目标here,如下所示:
static unsigned int
reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct ip6t_reject_info *reject = par->targinfo;
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
pr_debug("%s: medium point\n", __func__);
switch (reject->with) {
case IP6T_ICMP6_NO_ROUTE:
send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
break;
case IP6T_ICMP6_ADM_PROHIBITED:
send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
break;
case IP6T_ICMP6_NOT_NEIGHBOUR:
send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
break;
case IP6T_ICMP6_ADDR_UNREACH:
send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
break;
case IP6T_ICMP6_PORT_UNREACH:
send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
break;
case IP6T_ICMP6_ECHOREPLY:
/* Do nothing */
break;
case IP6T_TCP_RESET:
send_reset(net, skb);
break;
default:
net_info_ratelimited("case %u not handled yet\n", reject->with);
break;
}
return NF_DROP;
}
如您所见,它只支持您已经发现的类型。
关于linux - 如何使用ip6tables生成ICMPv6“太大的数据包”,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/13156695/