set banner { # begin banner

puts "rfc4890 - Recommendations for Filtering ICMPv6 Messages in Firewalls"
puts "IPTables to Cisco ACL rules - Francois Ropert - http://blog.packetfault.org"

} 

set setconstants { # begin setconstants

set INNER_PREFIXES "2001:DB8:85::/60"
set PINGABLE_HOSTS "2001:DB8:85::/64"
set LINK_LOCAL_ADDRS 0
set HOME_AGENTS_PRESENT 1
set MOBILE_NODES_PRESENT 1
set FILTERED_IFACE "FastEthernet0/0"
set DIRECTION "in"

} 

set aclbegin { # begin aclbegin
"conf t"
"ipv6 access-list icmpv6"
} 

set aclend { # begin aclend
"exit"
"interface $FILTERED_IFACE"
"ipv6 traffic-filter icmpv6 $DIRECTION"
"end"
} 

set echoreqresp { # begin echoreqresp

foreach prefixv6 $INNER_PREFIXES {
"permit icmp $prefixv6 any echo-request"
}

foreach prefixv6 $PINGABLE_HOSTS {
"permit icmp any $prefixv6 echo-request"
} 

foreach prefixv6 $PINGABLE_HOSTS {
"permit icmp $prefixv6 any echo-reply"
} 

foreach prefixv6 $INNER_PREFIXES {
"permit icmp any $prefixv6 echo-reply"
} 

if { $LINK_LOCAL_ADDRS == 1 } {
"deny icmp any fe80::/10"
"deny icmp fe80::/10 any"
}

"deny icmp any ff00::/8 echo-reply"

}

set destunreachable   { # begin destunreachable

foreach prefixv6 $INNER_PREFIXES {
"permit icmp any $prefixv6 destination-unreachable"
} 

foreach prefixv6 $INNER_PREFIXES {
"permit icmp $prefixv6 any destination-unreachable"
}

}


set packet2big   { # begin packet2big

foreach prefixv6 $INNER_PREFIXES {
"permit icmp any $prefixv6 packet-too-big"
} 

foreach prefixv6 $INNER_PREFIXES {
"permit icmp $prefixv6 any packet-too-big"
} 

}

set exceededtime   { # begin exceedtime

foreach prefixv6 $INNER_PREFIXES {
"permit icmp any $prefixv6 time-exceeded" 
} 

foreach prefixv6 $INNER_PREFIXES {
"permit icmp any $prefixv6 reassembly-timeout" 
} 

foreach prefixv6 $INNER_PREFIXES {
"permit icmp $prefixv6 any time-exceeded" 
} 

foreach prefixv6 $INNER_PREFIXES {
"permit icmp $prefixv6 any reassembly-timeout" 
} 

}

set parameterproblem   { # begin parameterproblem

foreach prefixv6 $INNER_PREFIXES {
"permit icmp $prefixv6 any header"
"permit icmp $prefixv6 any parameter-option"
} 

foreach prefixv6 $INNER_PREFIXES {
"permit icmp $prefixv6 any next-header"
}

}


set neighbordiscovery   { # begin neighbordiscovery

"deny icmp any any nd-ns"
"deny icmp any any nd-na"
"deny icmp any any router-solicitation"
"deny icmp any any router-advertisement"
"deny icmp any any redirect"

}

set mldmessages   {  # begin mldmessages

"deny icmp any any mld-query"
"deny icmp any any mld-reduction"
"deny icmp any any mld-report"

}

set routerenumbering   {  # begin routerenumbering

"deny icmp any any renum-command"
"deny icmp any any renum-result"
"deny icmp any any renum-seq-number"

}

set mobilev6   {  # begin mobilev6

if { $HOME_AGENTS_PRESENT == 1 } {

foreach prefixv6 $INNER_PREFIXES {
"permit icmp any $prefixv6 dhaad-request"
"permit icmp $prefixv6 any dhaad-reply"
"permit icmp any $prefixv6 mpd-solicitation"
"permit icmp $prefixv6 any mpd-advertisement"
}

}

if { $MOBILE_NODES_PRESENT == 1 } {

foreach prefixv6 $INNER_PREFIXES {
"permit icmp $prefixv6 any dhaad-request"
"permit icmp any $prefixv6 dhaad-reply"
"permit icmp $prefixv6 any mpd-solicitation"
"permit icmp any $prefixv6 mpd-advertisement"
}

}

}

set dropother   {  # begin dropother
"deny icmp any any"
}

eval $banner
eval $setconstants
eval $aclbegin
puts "\nPlease wait...\n\n"
eval $echoreqresp
eval $destunreachable
eval $packet2big
eval $exceededtime
eval $parameterproblem
eval $neighbordiscovery
eval $mldmessages
eval $routerenumbering
eval $mobilev6
eval $dropother

eval $aclend
puts "Finished! - Your router is RFC4890 compliant."