[j-nsp] MX IPv6 firewall filter question

[Sebastian Wiesinger]

Hi,

I'm using a lo0 IPv6 firewall filter to protect my RE (yes, I'm
filtering IPv6). Hardware is MX960/Trio-MPC running on 11.2R5.4

I have a filter to accept all ICMPv6 that has to do with neighbor
discovery etc.:

term accept-nd {
    from {
        next-header icmpv6;
        icmp-type [ neighbor-advertisement neighbor-solicit router-advertisement router-solicit router-renumbering ];
    }
    then {
        count accept-nd-v6;
        accept;
    }
}

This is the first filter on the RE, nothing before that.

Still I have DAD packets denied by a catch-all rule at the end:

10:36:10  pfe       D      irb.10        ICMPv6          ::                               ff02::1:ff00:2
10:36:10  pfe       D      irb.10        ICMPv6          ::                               ff02::1:ff00:2

Detail from one of the entries shows its neighbor-solicitation (135):

Time of Log: 2012-02-21 10:36:16 CET, Filter: pfe, Filter action: discard, Name of interface: irb.10
Name of protocol: ICMPv6, Packet Length: 24, Source address: ::, Destination address: ff02::1:ff00:2 Type 135 Code 0

Any idea why it is not accepted?

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant