fix: ipv6 firewall icmpv6 sources [Backport 5.6.0] (#5973)

* fix(linux.net): Remove source restrictions for critical IPv6 ICMPv6 types

ICMPv6 types 133-136 (Router/Neighbor Discovery) are essential for IPv6
connectivity and should not be restricted to fe80::/10 sources only.
This restriction was breaking DNS resolution when DNS servers use ULA
addresses (fd00::/8) or Global Unicast addresses (2000::/3).

- Remove fe80::/10 source restriction for ICMPv6 types 133-136
- Add explanatory comment for the critical nature of these types
- Fixes IPv6 connectivity issues with non-link-local DNS servers

Tested with DNS servers using ULA addresses like fd63:50cc:f62:8::1

* fix(linux.net): Remove source restrictions for multicast IPv6 ICMPv6 types

Extend the IPv6 firewall fix to include multicast-related ICMPv6 types
that are essential for IPv6 multicast services and routing protocols.

Removed fe80::/10 source restrictions for:
- Type 130-132: Multicast Listener Discovery (MLD)
- Type 151-153: Multicast Router Discovery

This fixes issues with:
- Multicast DNS (mDNS) resolution
- DHCPv6 multicast communications
- IPv6 routing protocols (OSPFv3, RIPng)
- Service discovery (Bonjour, Avahi)
- IoT protocols (Thread, Matter) using IPv6 multicast

Inverse Neighbor Discovery (141-142) and Certificate Path (148-149)
remain restricted to fe80::/10 as they are less critical for basic
IPv6 connectivity.

* Updated version

Signed-off-by: MMaiero <[email protected]>

* Added coverage tests

Signed-off-by: MMaiero <[email protected]>

* Tests alignment with develop

Signed-off-by: MMaiero <[email protected]>

---------

Signed-off-by: MMaiero <[email protected]>

Author: MMaiero

kura/distrib/config/kura.build.properties

@@ -47,7 +47,7 @@ org.eclipse.kura.ble.provider.version=1.6.0
 org.eclipse.kura.ble.ibeacon.provider.version=1.6.0
 org.eclipse.kura.ble.eddystone.provider.version=1.6.0
 org.eclipse.kura.linux.command.version=1.6.0
-org.eclipse.kura.linux.net.version=2.6.0
+org.eclipse.kura.linux.net.version=2.6.1-SNAPSHOT
 org.eclipse.kura.linux.sysv.provider.version=1.6.0
 org.eclipse.kura.linux.systemd.provider.version=1.6.0
 org.eclipse.kura.linux.debian.provider.version=1.6.0

kura/org.eclipse.kura.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/IptablesConfigIPv6.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2023 Eurotech and/or its affiliates and others
+ * Copyright (c) 2023, 2025 Eurotech and/or its affiliates and others
  *
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
@@ -35,20 +35,23 @@ public class IptablesConfigIPv6 extends IptablesConfig {
             "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 145 -j ACCEPT",
             "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 146 -j ACCEPT",
             "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 147 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 130 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 131 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 132 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 133 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 134 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 135 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 136 -j ACCEPT",
+            // Multicast Listener Discovery - essential for IPv6 multicast (mDNS, DHCPv6, etc.)
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 130 -j ACCEPT",
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 131 -j ACCEPT",
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 132 -j ACCEPT",
+            // Critical Neighbor/Router Discovery - no source restriction for IPv6 connectivity
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 133 -j ACCEPT",
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 134 -j ACCEPT",
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 135 -j ACCEPT",
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 136 -j ACCEPT",
             "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 141 -j ACCEPT",
             "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 142 -j ACCEPT",
             "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 148 -j ACCEPT",
             "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 149 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 151 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 152 -j ACCEPT",
-            "-A input-kura -s fe80::/10 -p ipv6-icmp -m ipv6-icmp --icmpv6-type 153 -j ACCEPT",
+            // Multicast Router Discovery - essential for IPv6 routing protocols
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 151 -j ACCEPT",
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 152 -j ACCEPT",
+            "-A input-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 153 -j ACCEPT",
             "-A forward-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 1 -j ACCEPT",
             "-A forward-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 2 -j ACCEPT",
             "-A forward-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 3/0 -j ACCEPT",