使用ip6tables可以生成以下icmp错误代码(根据手册页):

--reject-with type
              The  type  given  can   be   icmp6-no-route,   no-route,   icmp6-adm-prohibited,   adm-prohibited, icmp6-addr-unreachable,  addr-unreach,  icmp6-port-unreachable  or  port-unreach  which return the appropriate ICMPv6 error message (port-unreach is the default).

例子:
[root@outside-pc ~]# ip6tables -A INPUT -s 2001::/64 -p ICMPv6  -j REJECT --icmpv6-type destination-unreachable
[root@outside-pc ~]# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 2001::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j REJECT --reject-with icmp6-port-unreachable

是否可以使用ip6tables生成其他错误代码,如“packet too big”(类型2,代码0)?

最佳答案

很不幸,你的问题的简单答案似乎是“不”。您可以看到内核代码实现了REJECT目标here,如下所示:

static unsigned int
reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
    const struct ip6t_reject_info *reject = par->targinfo;
    struct net *net = dev_net((par->in != NULL) ? par->in : par->out);

    pr_debug("%s: medium point\n", __func__);
    switch (reject->with) {
    case IP6T_ICMP6_NO_ROUTE:
        send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
        break;
    case IP6T_ICMP6_ADM_PROHIBITED:
        send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
        break;
    case IP6T_ICMP6_NOT_NEIGHBOUR:
        send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
        break;
    case IP6T_ICMP6_ADDR_UNREACH:
        send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
        break;
    case IP6T_ICMP6_PORT_UNREACH:
        send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
        break;
    case IP6T_ICMP6_ECHOREPLY:
        /* Do nothing */
        break;
    case IP6T_TCP_RESET:
        send_reset(net, skb);
        break;
    default:
        net_info_ratelimited("case %u not handled yet\n", reject->with);
        break;
    }

    return NF_DROP;
}

如您所见,它只支持您已经发现的类型。

关于linux - 如何使用ip6tables生成ICMPv6“太大的数据包”,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/13156695/

10-10 05:56