Firewall: Drop IPv6 neighbour solicitation broadcasts

[dave14305]

Today I switched back over to Merlin 384.13 to test some things and was reviewing my restored settings and saw that on Tools / Other Settings I had once enabled "Firewall: Drop IPv6 neighbour solicitation broadcasts (default: No)" since I am on Comcast/Xfinity. I believe I once saw a bunch of IPv6 traffic in tcpdump on the WAN interface, so decided to try this.

To get to the point, I went looking to see what this setting does, and expected to find an ip6tables rule in the mangle table, but found nothing.

# ip6tables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

The nvram setting ipv6_ns_drop is correctly set to 1. Does this feature work for anyone else? I'm on an AC68U. IPv6 is disabled on the router, but the IPv6 firewall is enabled. I don't see that the code discriminates too much on this setting, but can't figure out why there's no rule, unless it's getting flushed out later in the firewall start.

 

[dave14305]

Also seeing code that refers to another variable "ipv6_neighsol_drop", but setting it to 1 doesn't help either.

https://github.com/RMerl/asuswrt-me...inline/release/src/router/rc/firewall.c#L5453
https://github.com/RMerl/asuswrt-me...inline/release/src/router/rc/firewall.c#L5722

 

[stuffedtiger]

apparently i don't know what i'm talking about.

 

[ColinTaylor]

Also seeing code that refers to another variable "ipv6_neighsol_drop", but setting it to 1 doesn't help either.

https://github.com/RMerl/asuswrt-me...inline/release/src/router/rc/firewall.c#L5453
https://github.com/RMerl/asuswrt-me...inline/release/src/router/rc/firewall.c#L5722

My best guess at what is happening...

ipv6_ns_drop is in mangle_setting() and ipv6_neighsol_drop is in mangle_setting2().

Both of these are processed just before the following piece of code which effectively wipes them out when IPv6 is disabled.

https://github.com/RMerl/asuswrt-me...29fa6f/release/src/router/rc/firewall.c#L6186

#ifdef RTCONFIG_IPV6
    if (!ipv6_enabled())
    {
        eval("ip6tables", "-F");
        eval("ip6tables", "-t", "mangle", "-F");
    }
#endif

 

[dave14305]

My best guess at what is happening...

ipv6_ns_drop is in mangle_setting() and ipv6_neighsol_drop is in mangle_setting2().

Both of these are processed just before the following piece of code which effectively wipes them out when IPv6 is disabled.

https://github.com/RMerl/asuswrt-me...29fa6f/release/src/router/rc/firewall.c#L6186

#ifdef RTCONFIG_IPV6
    if (!ipv6_enabled())
    {
        eval("ip6tables", "-F");
        eval("ip6tables", "-t", "mangle", "-F");
    }
#endif

This morning I experimented with enabling IPv6 and I still didn’t see the rule created. So probably some firewall voodoo at work.

 

[SomeWhereOverTheRainBow]

This morning I experimented with enabling IPv6 and I still didn’t see the rule created. So probably some firewall voodoo at work.

I think it only remains active if needed , I noticed my connection for ipv6 has alot less dropped packets when the setting is on due to the solicitation being blocked.