firewall: further tune ICMPv6 default rules according to RFC4890 (#9893)

SVN-Revision: 27979

package/firewall/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall
 
 PKG_VERSION:=2
-PKG_RELEASE:=33
+PKG_RELEASE:=34
 
 include $(INCLUDE_DIR)/package.mk
 

package/firewall/files/firewall.config

@@ -44,6 +44,22 @@ config rule
 	option target		ACCEPT
 
 # Allow essential incoming IPv6 ICMP traffic
+config rule
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
 config rule                                   
 	option src		wan
 	option dest		*

package/firewall/files/reflection.hotplug

@@ -102,7 +102,7 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
 				local p
 				for p in ${proto:-tcp udp}; do
 					case "$p" in
-						tcp|udp)
+						tcp|udp|6|17)
 							iptables -t nat -A nat_reflection_in \
 								-s $lanip/$lanmk -d $exthost \
 								-p $p $extport \