From 990e4a6e4053c4d2bbdf7269068ee7feea930a08 Mon Sep 17 00:00:00 2001 From: Wido den Hollander Date: Wed, 12 Apr 2017 15:02:30 +0200 Subject: [PATCH] ipv6: Allow all ICMPv6 traffic if -1 is provided as a ICMP type ip6tables no longer takes '--icmpv6-type any' as a argument. To allow all ICMPv6 traffic with ip6tables it has to be invoked this way: $ ip6tables -I i-2-14-VM -p icmpv6 -s ::/0 -j ACCEPT All ICMPv6 traffic is now allow into the Instance. Signed-off-by: Wido den Hollander --- scripts/vm/network/security_group.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index d95e35ddfad..9e3eeb062bb 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -1052,7 +1052,11 @@ def add_network_rules(vm_name, vm_id, vm_ip, vm_ip6, signature, seqno, vmMac, ru elif 'icmp' != protocol: execute('ip6tables -I ' + vmchain + ' -p ' + protocol + ' -m ' + protocol + ' --dport ' + range + ' -m state --state NEW ' + direction + ' ' + ip + ' -j ' + action) else: - execute('ip6tables -I ' + vmchain + ' -p icmpv6 --icmpv6-type ' + range + ' ' + direction + ' ' + ip + ' -j ' + action) + # ip6tables does not allow '--icmpv6-type any', allowing all ICMPv6 is done by not allowing a specific type + if range == 'any': + execute('ip6tables -I ' + vmchain + ' -p icmpv6 ' + direction + ' ' + ip + ' -j ' + action) + else: + execute('ip6tables -I ' + vmchain + ' -p icmpv6 --icmpv6-type ' + range + ' ' + direction + ' ' + ip + ' -j ' + action) egress_vmchain = egress_chain_name(vm_name) if egressrule_v4 == 0 :