如何使用ICMPv6生成“包太大”

Question

可以使用以下ip6tables生成ICMP错误代码(如手册页所示)：

--reject-with type
              The  type  given  can   be   icmp6-no-route,   no-route,   icmp6-adm-prohibited,   adm-prohibited, icmp6-addr-unreachable,  addr-unreach,  icmp6-port-unreachable  or  port-unreach  which return the appropriate ICMPv6 error message (port-unreach is the default).

示例：

[root@outside-pc ~]# ip6tables -A INPUT -s 2001::/64 -p ICMPv6  -j REJECT --icmpv6-type destination-unreachable
[root@outside-pc ~]# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 2001::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j REJECT --reject-with icmp6-port-unreachable

是否可以使用ip6tables ?生成其他错误代码，如“包太大”(类型2，代码0)。

Answer 1

很不幸，你的问题的简单答案似乎是“不”。您可以看到具有实现REJECT目标这里的内核代码，它如下所示：

static unsigned int
reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
    const struct ip6t_reject_info *reject = par->targinfo;
    struct net *net = dev_net((par->in != NULL) ? par->in : par->out);

    pr_debug("%s: medium point\n", __func__);
    switch (reject->with) {
    case IP6T_ICMP6_NO_ROUTE:
        send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
        break;
    case IP6T_ICMP6_ADM_PROHIBITED:
        send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
        break;
    case IP6T_ICMP6_NOT_NEIGHBOUR:
        send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
        break;
    case IP6T_ICMP6_ADDR_UNREACH:
        send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
        break;
    case IP6T_ICMP6_PORT_UNREACH:
        send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
        break;
    case IP6T_ICMP6_ECHOREPLY:
        /* Do nothing */
        break;
    case IP6T_TCP_RESET:
        send_reset(net, skb);
        break;
    default:
        net_info_ratelimited("case %u not handled yet\n", reject->with);
        break;
    }

    return NF_DROP;
}

如您所见，它只支持您已经发现的类型。