bugzilla-daemon at netfilter.org
2020-Aug-03 06:56 UTC
[Bug 1447] New: Conntrack marks ICMPv6 multicast and anycast ping responces as invalid.
https://bugzilla.netfilter.org/show_bug.cgi?id=1447 Bug ID: 1447 Summary: Conntrack marks ICMPv6 multicast and anycast ping responces as invalid. Product: netfilter/iptables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: normal Priority: P5 Component: nf_conntrack Assignee: netfilter-buglog at lists.netfilter.org Reporter: igo9586 at yandex.ru For example: ping ff02::1%interface # ping all nodes on the link ping ff02::2%interface # ping all routers on the link ping ff05::2 # ping all nodes in ULA ping fd00:: # anycast ping the ULA In all these cases the conntrack expects the responces to be from the same address as ping request, however, the responces will come from a different addresses. For example, the link local multicasts will receive reply from fe80::/10 range (example fe80::aaaa:bbbb:cccc:dddd). This causes an issue if you have conntrack setup to drop invalid packets. (`ct state invalid drop` in nftables) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200803/f3403232/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-03 07:06 UTC
[Bug 1447] Conntrack marks ICMPv6 multicast and anycast ping responces as invalid.
https://bugzilla.netfilter.org/show_bug.cgi?id=1447 --- Comment #1 from igo9586 at yandex.ru --- Tested on: Arch Linux Kernel version 5.7.11 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200803/80c986f7/attachment.html>
Seemingly Similar Threads
- ICMPv6 Neighbour Solication request is not answered by linux when IPv6 address is assigned via Netlink code.
- [Bug 766] New: Segmentation Fault using Hop Limit and ICMPV6-TYPE in same rule
- [Bug 1138] New: icmpv6 mld-listener-query not detcted
- [Bug 1276] New: "icmpv6 code" test returns wrong data type.
- [Bug 1250] New: extensions: libip6t_icmp6: unsupported ICMPv6 types