From 4c69594aae5f2c87ab2f7616d1ef76c84ae6dc74 Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netctiadel.com>
Date: Fri, 29 Oct 2010 16:47:28 -0700
Subject: [PATCH] * configlets/linux24/automatic_rules: implemented SF feature
 request 3094738 "Set the HL to 255 for IPv6 Neighbor Discovery". Neighbor
 discovery packets must have hop limit of 255 per RFC 2461. Automatically
 generated rules that match neighbor discovery packets will math hooplimit
 255.

---
 doc/ChangeLog                              |  6 ++++++
 src/res/configlets/linux24/automatic_rules | 16 ++++++++--------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 0a9554691..975866a89 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,11 @@
 2010-10-29  Vadim Kurland  <vadim@vk.crocodile.org>
 
+	* configlets/linux24/automatic_rules: implemented SF feature
+	request 3094738 "Set the HL to 255 for IPv6 Neighbor
+	Discovery". Neighbor discovery packets must have hop limit of 255
+	per RFC 2461. Automatically generated rules that match neighbor
+	discovery packets will math hooplimit 255.
+
 	* configlets/linux24/update_addresses: fixed SF bug 3091069:
 	"Routing configuration failed". Iptables script generated by
 	fwbuilder did not configure broadcast when it added ip addresses
diff --git a/src/res/configlets/linux24/automatic_rules b/src/res/configlets/linux24/automatic_rules
index 3f966e09d..fd78ea2ae 100644
--- a/src/res/configlets/linux24/automatic_rules
+++ b/src/res/configlets/linux24/automatic_rules
@@ -81,14 +81,14 @@
 
 {{if add_rules_for_ipv6_neighbor_discovery}}
 # rules to permit IPv6 Neighbor discovery
-{{$begin_rule}} INPUT  -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT {{$end_rule}}
-{{$begin_rule}} OUTPUT  -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT {{$end_rule}}
-{{$begin_rule}} INPUT  -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT {{$end_rule}}
-{{$begin_rule}} OUTPUT  -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT {{$end_rule}}
-{{$begin_rule}} INPUT  -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT {{$end_rule}}
-{{$begin_rule}} OUTPUT  -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT {{$end_rule}}
-{{$begin_rule}} INPUT  -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT {{$end_rule}}
-{{$begin_rule}} OUTPUT  -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT {{$end_rule}}
+{{$begin_rule}} INPUT  -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}}
+{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}}
+{{$begin_rule}} INPUT  -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}}
+{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}}
+{{$begin_rule}} INPUT  -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}}
+{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT {{$end_rule}}
+{{$begin_rule}} INPUT  -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}}
+{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT {{$end_rule}}
 {{endif}}
 
 {{if drop_invalid}}