From bf5d5e53acc1f9eadf8b330f0b1f1e0fb1e7107a Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Fri, 14 Oct 2016 19:05:39 +0300
Subject: [PATCH] ip6tables fixes

---
 roles/vpn/templates/rules.v6.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/vpn/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2
index e491fec..71342a0 100644
--- a/roles/vpn/templates/rules.v6.j2
+++ b/roles/vpn/templates/rules.v6.j2
@@ -17,6 +17,10 @@ COMMIT
 -A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j DROP
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
 # TODO:
 # The IP of the resolver should be bound to a DUMMY interface.
 # DUMMY interfaces are the proper way to install IPs without assigning them any