Georg Kohmann <geokohma@xxxxxxxxx> wrote: > PMTU is updated even though received ICMPv6 PTB do not match any > transmitted traffic. This breaks TAHI IPv6 Core Conformance Test > Revision 5.0.1, v6LC.4.1.12 Validate Packet Too Big[1]. > > Referring to RFC8201 IPv6 Path MTU Discovery, section 4: "Nodes should > appropriately validate the payload of ICMPv6 PTB messages to ensure > these are received in response to transmitted traffic (i.e., a reported > error condition that corresponds to an IPv6 packet actually sent by the > application) per [ICMPv6]." > > nf_conntrack_inet_error() return -NF_ACCEPT if the inner header of > ICMPv6 error packet is not related to an existing connection. Drop PTB > packet when this occur. This will prevent ipv6 from handling the packet > and update the PMTU. This is intentional. We try to not auto-drop packets in conntrack. Packet is marked as invalid, users can add nft/iptables rules to discard such packets if they want to do so.
