Hello, Christian Hesse a écrit : > > I have problems with my IPv6 firewall concerning connection tracking and > mDNS. This is part of the rules: > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -m conntrack --ctstate INVALID -j DROP > -A INPUT -s fe80::/64 -d ff02::fb -p udp -j LOG --log-prefix "DEBUG1: " > -A INPUT -s fe80::/64 -d ff02::fb -p udp --dport 5353 -j ACCEPT > [...] > -A INPUT -j LOG --log-prefix "DEBUG2: " > -A INPUT -j REJECT > > So why is the connection not tracked? I would expect the fragment to belong > to an established connection and accepted. mDNS uses multicast, and AFAIK netfilter connection tracking does not (yet ?) handle multicast because the source/destination addresses in the reply packet do not match those in the request packet, so it does not qualify as a "connection" by the conntrack standards. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
