Hello, Mike Kazantsev a écrit : > > I wonder if the following problem is a bug in netfilter or I'm just > doing something wrong, but it wasn't always like that. > Problem started probably with some kernel update on router machine, [...] > I've tried setting -j LOG to FORWARD chain of ip6tables and it always > (both while the connection works and not) shows lines like this: > Dec 19 14:09:48 kern.warn<4> kernel[-]@damnation: IN=lan OUT=vde > SRC=2001:0470:1f0b:11de:0000:0000:0000:0013 > DST=2001:0470:1f0b:11de:0000:0000:0000:0021 > LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 > TYPE=128 CODE=0 ID=29524 SEQ=8 > > So, I assume the packet is lost somewhere in netfilter, but I've no > idea how to tell why it's getting discarded like that. Have you tried to track the packet in the mangle/POSTROUTING chain too, either with the LOG target in that chain or with the TRACE target in the raw/PREROUTING chain ? > Strangely enough (for me), when I type "ping6 2001:0470:1f0b:11de::21" > on router machine it gives "Destination unreachable: Address > unreachable" This indicates that the neighbour discovery for that address failed, either because the ICMPv6 neighbour solicitation request could not be sent or the ICMPv6 neighbour advertisement reply was not received. If neighbour discovery fails, packets cannot be sent or forwarded to that destination. > ip addr: > 2: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 [...] > inet6 2001:470:1f0b:11de::10/125 scope global [...] > 7: vde: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500 [...] > inet6 2001:470:1f0b:11de::20/125 scope global Regardless of your problem, 2001:470:1f0b:11de::10 and 2001:470:1f0b:11de::20 are the prefix addresses of 2001:470:1f0b:11de::10/25 and 2001:470:1f0b:11de::20/25 and have a special status : they are anycast addresses meaning "any router connected to that prefix". So I guess that they should not be assigned to an interface. > ip6tables has following rules (at the start of FORWARD chain): > -I FORWARD -i vde -j ACCEPT > -I FORWARD -i lan -j ACCEPT ICMPv6 packets involved in neighbour discovery go through the INPUT and OUTPUT chains. What do these chains contain ? Connection tracking of these ICMPv6 types changed in kernel 2.6.29. You wrote in the subject "with ip6tables". Do you mean that it works without ip6tables, without ip6_tables loaded or without ip6table_filter loaded, or with all chains empty and with ACCEPT default policy ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
