On Tue, Jun 08, 2021 at 01:48:16PM +0200, Florian Westphal wrote:
> Quoting nf bugzilla:
> --------
> Using the following for
> reverse path filtering breaks IPv6 duplicate address detection:
>
> table inet ip46_firewall {
> chain ip46_rpfilter {
> type filter hook prerouting priority raw;
> fib saddr . iif oif missing log prefix "RPFILTER: " drop
> }
> }
>
> This is because packets from :: to ff02::1:ff00/104 will be dropped and thus
> other hosts on the network cannot detect that this host already has the same
> address assigned. The problem can be worked around in nft rules by handling
> such packets specially but I guess it should work as is.
>
> In the kernel in ip6t_rpfilter.c the function rpfilter_mt() checks for
> saddrtype == IPV6_ADDR_ANY. nft_fib_ipv6.c doesn't seem to have an equivalent
> check for this special case.
> --------
>
> First patch adds a test case for this, second patch makes icmpv6 from
> any to link-local bypass the fib lookup, just like loopback packets.
Applied, thanks.
