HP-UX IPFilter Version 17 Administrator's Guide

11.3 Filtering ICMPv6 Packets by Type and Code (icmpv6–type and code)

You can filter specific types of ICMPv6 traffic using the icmpv6-type and code keywords.

You must specify proto icmpv6 to use the icmpv6-type and code keywords. A simplified

rule syntax is as follows:

block|pass in|out [processing_options] proto icmpv6 ip_selector

icmpv6-type type_value [code code_value]

where:

processing_options is one or more processing options, such as quick. See “Processing

Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces” (page 31).

ip_selector is the IP address specification using the keyword all, or the from and to

keywords and IPv6 addresses. See “Basic Rule Syntax: Specifying the Action, Direction, Protocol,

IP Addresses, and Ports” (page 28).

type_value is the decimal value for the ICMPv6 type. Note that by default, HP-UX IPFilter

allows ICMPv6 Router Discovery and Neighbor Discovery to bypass IPFilter rulesets and always

pass in and out of the system. See “Controlling ICMPv6 Router Discovery and Neighbor Discovery

Messages” (page 107) for more information.

code_value is the decimal value for the ICMPv6 code.

The IANA list of assigned ICMPv6 type numbers option numbers contains the registered ICMPv6

type and code values and the documents that define these values. This list is available at the

following URL:

http://www.iana.org/assignments/icmpv6-parameters

For example, to block inbound Node Information Queries (type 139) to your system (2001:db8::1),

create the following rule:

pass in quick proto icmp from any to 2001:db8::1 icmpv6-type 139

106 HP-UX IPFilter and ICMP