IPv6 ICMP criticals

ChangeLog

@@ -1,6 +1,7 @@
 0.9.12 - Brielle Bruns <bruns@2mbit.com>
 	- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
 	  block incoming to.
+	- Add support for allowing IPV6 critical ICMP messages, on by default
 
 0.9.11 - Brielle Bruns <bruns@2mbit.com>
 	- Move some of the config clutter to conf/ - you can

bin/firewall-sosdg

@@ -817,6 +817,17 @@ fi
 			fi
 	fi
 	
+	if [ "$IPV6_ICMP_OPT" ]; then
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+			if [ "$IPV6_FORWARDRANGE" ]; then
+				$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+				$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+			fi
+	fi
+	
 	if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
 		display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
 		. "$BASEDIR/include/ipv6_custom_mssclamp"

options.default

@@ -217,4 +217,10 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
 # Allow critical ICMP messages to go through, such as packet too big.
 # You should _really_ make sure you don't disable this if you have any
 # kind of MTU changes inside or outside your network.
-IPV6_ICMP_CRITICAL=1
+# Allows: time-exceeded packet-too-big
+IPV6_ICMP_CRITICAL=1
+
+# Allow other common IPV6 ICMP messages through the firewall.  Though not
+# really critical, these can help with general IPv6 usage/diagnostic
+# Allows: destination-unreachable parameter-problem
+#IPV6_ICMP_OPT=1