Fatal编程技术网
  • linux/
  • Linux “如何生成ICMPv6”;“数据包太大”;使用ip6tables

Linux “如何生成ICMPv6”;“数据包太大”;使用ip6tables

linux

Linux “如何生成ICMPv6”;“数据包太大”;使用ip6tables,linux,ipv6,iptables,Linux,Ipv6,Iptables,使用ip6tables可以生成以下ICMP错误代码(根据手册页): 例如: [root@outside-pc ~]# ip6tables -A INPUT -s 2001::/64 -p ICMPv6 -j REJECT --icmpv6-type destination-unreachable [root@outside-pc ~]# ip6tables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 200

使用ip6tables可以生成以下ICMP错误代码(根据手册页):

例如:

[root@outside-pc ~]# ip6tables -A INPUT -s 2001::/64 -p ICMPv6  -j REJECT --icmpv6-type destination-unreachable
[root@outside-pc ~]# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 2001::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j REJECT --reject-with icmp6-port-unreachable
是否可能使用ip6tables生成其他错误代码,如“数据包太大”(类型2,代码0)?很遗憾,您的问题的简单答案似乎是“否”。您可以看到内核代码实现了
REJECT
目标,如下所示:

static unsigned int
reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
    const struct ip6t_reject_info *reject = par->targinfo;
    struct net *net = dev_net((par->in != NULL) ? par->in : par->out);

    pr_debug("%s: medium point\n", __func__);
    switch (reject->with) {
    case IP6T_ICMP6_NO_ROUTE:
        send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
        break;
    case IP6T_ICMP6_ADM_PROHIBITED:
        send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
        break;
    case IP6T_ICMP6_NOT_NEIGHBOUR:
        send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
        break;
    case IP6T_ICMP6_ADDR_UNREACH:
        send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
        break;
    case IP6T_ICMP6_PORT_UNREACH:
        send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
        break;
    case IP6T_ICMP6_ECHOREPLY:
        /* Do nothing */
        break;
    case IP6T_TCP_RESET:
        send_reset(net, skb);
        break;
    default:
        net_info_ratelimited("case %u not handled yet\n", reject->with);
        break;
    }

    return NF_DROP;
}
正如您所见,它只支持您已经发现的类型。

尝试使用以下方法,但没有成功-[root@outside-pc~]#ip6tables-A输入-p icmpv6-j拒绝-icmpv6类型2/0[root@outside-pc~]#ip6tables-S-P输入接受-P前向接受-P输出接受-A输入-P ipv6 icmp-m icmp6--icmpv6类型2/0-j拒绝--拒绝icmp6端口不可访问 
static unsigned int
reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
    const struct ip6t_reject_info *reject = par->targinfo;
    struct net *net = dev_net((par->in != NULL) ? par->in : par->out);

    pr_debug("%s: medium point\n", __func__);
    switch (reject->with) {
    case IP6T_ICMP6_NO_ROUTE:
        send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
        break;
    case IP6T_ICMP6_ADM_PROHIBITED:
        send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
        break;
    case IP6T_ICMP6_NOT_NEIGHBOUR:
        send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
        break;
    case IP6T_ICMP6_ADDR_UNREACH:
        send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
        break;
    case IP6T_ICMP6_PORT_UNREACH:
        send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
        break;
    case IP6T_ICMP6_ECHOREPLY:
        /* Do nothing */
        break;
    case IP6T_TCP_RESET:
        send_reset(net, skb);
        break;
    default:
        net_info_ratelimited("case %u not handled yet\n", reject->with);
        break;
    }

    return NF_DROP;
}