On 24.06.2021 11:05, Florian Westphal wrote: > Georg Kohmann <geokohma@xxxxxxxxx> wrote: >> PMTU is updated even though received ICMPv6 PTB do not match any >> transmitted traffic. This breaks TAHI IPv6 Core Conformance Test >> Revision 5.0.1, v6LC.4.1.12 Validate Packet Too Big[1]. >> >> Referring to RFC8201 IPv6 Path MTU Discovery, section 4: "Nodes should >> appropriately validate the payload of ICMPv6 PTB messages to ensure >> these are received in response to transmitted traffic (i.e., a reported >> error condition that corresponds to an IPv6 packet actually sent by the >> application) per [ICMPv6]." >> >> nf_conntrack_inet_error() return -NF_ACCEPT if the inner header of >> ICMPv6 error packet is not related to an existing connection. Drop PTB >> packet when this occur. This will prevent ipv6 from handling the packet >> and update the PMTU. > This is intentional. We try to not auto-drop packets in conntrack. > > Packet is marked as invalid, users can add nft/iptables rules to discard > such packets if they want to do so. Ah, dropping patch then, thank you.