config zone
option name 'wan'
option input 'REJECT' 改成 ACCEPT
option output 'ACCEPT'
option forward 'REJECT' 改成 ACCEPT
option masq '1'
option mtu_fix '1'
list network 'wan'
....
config rule
option name 'allow-IPV6-wrt'
option src 'wan'
option proto 'tcp'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPV6-all'
option src 'wan'
option dest 'lan'
option family 'ipv6'
option target 'ACCEPT'
list proto 'all'
fw4 print可以看到
...
chain input_wan {
meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
meta nfproto ipv4 icmp type 8 counter accept comment "!fw4: Allow-Ping"
meta nfproto ipv6 meta l4proto tcp counter accept comment "!fw4: allow-IPV6-wrt"
meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { 130 . 0, 131 . 0, 132 . 0, 143 . 0 } counter accept comment "!fw4: Allow-MLD"
meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
...
chain forward_wan {
meta nfproto ipv6 counter jump accept_to_lan comment "!fw4: Allow-IPV6-all"
meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}