> It doesn't. The trace shows dropped, incoming (iif ens3) icmp reply. > Outbound packet passes fine. You're dropping the replies. > > You will need to accept arp for ipv4 and icmpv6 packets that handle > neigh discovery at the very least. > > If you want ping to work, accept icmp echo-reply packets. Oh right, because it is stateless and does not recognize the frame as |ct state 2,4|... silly me... Mhm, I am thinking how best to utilize |netdev| then, as global drop policy it does not seem so convenient - having to check each host app which protocol/port is being used for returning frames and some apps may even randomize those ports. Putting the meters in |netdev| makes a lot of sense. Is there any plan perhaps for a ct hook for |netdev|? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
