From eaffe3a13bdbcc03ed4af1f1115c147f62e3de10 Mon Sep 17 00:00:00 2001 From: Wido den Hollander Date: Wed, 12 Apr 2017 15:02:30 +0200 Subject: [PATCH] ipv6: Allow all ICMPv6 traffic if -1 is provided as a ICMP type ip6tables no longer takes '--icmpv6-type any' as a argument. To allow all ICMPv6 traffic with ip6tables it has to be invoked this way: $ ip6tables -I i-2-14-VM -p icmpv6 -s ::/0 -j ACCEPT All ICMPv6 traffic is now allow into the Instance. Signed-off-by: Wido den Hollander --- scripts/vm/network/security_group.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index 0e815650bd69..5505ee470dc0 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -1008,7 +1008,11 @@ def add_network_rules(vm_name, vm_id, vm_ip, vm_ip6, signature, seqno, vmMac, ru elif 'icmp' != protocol: execute('ip6tables -I ' + vmchain + ' -p ' + protocol + ' -m ' + protocol + ' --dport ' + range + ' -m state --state NEW ' + direction + ' ' + ip + ' -j ' + action) else: - execute('ip6tables -I ' + vmchain + ' -p icmpv6 --icmpv6-type ' + range + ' ' + direction + ' ' + ip + ' -j ' + action) + # ip6tables does not allow '--icmpv6-type any', allowing all ICMPv6 is done by not allowing a specific type + if range == 'any': + execute('ip6tables -I ' + vmchain + ' -p icmpv6 ' + direction + ' ' + ip + ' -j ' + action) + else: + execute('ip6tables -I ' + vmchain + ' -p icmpv6 --icmpv6-type ' + range + ' ' + direction + ' ' + ip + ' -j ' + action) egress_vmchain = egress_chain_name(vm_name) if egressrule_v4 == 0 :