netfilter buglog - Aug 2020 - [Bug 1447] New: Conntrack marks ICMPv6 multicast and anycast ping responces as invalid.

https://bugzilla.netfilter.org/show_bug.cgi?id=1447

            Bug ID: 1447
           Summary: Conntrack marks ICMPv6 multicast and anycast ping
                    responces as invalid.
           Product: netfilter/iptables
           Version: unspecified
          Hardware: x86_64
                OS: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nf_conntrack
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: igo9586 at yandex.ru

For example:


ping ff02::1%interface # ping all nodes on the link

ping ff02::2%interface # ping all routers on the link

ping ff05::2 # ping all nodes in ULA

ping fd00:: # anycast ping the ULA


In all these cases the conntrack expects the responces to be from the same
address as ping request, however, the responces will come from a different
addresses.


For example, the link local multicasts will receive reply from fe80::/10 range
(example fe80::aaaa:bbbb:cccc:dddd).


This causes an issue if you have conntrack setup to drop invalid packets. (`ct
state invalid drop` in nftables)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200803/f3403232/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1447

--- Comment #1 from igo9586 at yandex.ru ---
Tested on: 

Arch Linux

Kernel version 5.7.11

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200803/80c986f7/attachment.html>