Hello,
I use nftables in a network where stations are under Ubuntu 18 or Debian
9/10.
IPv6 networks are:
2a01:YYY:ZZZ:10::9000/128
2a01:YYY:ZZZ:10::/64
ICMP rules on 2a01:YYY:ZZZ:10::4
chain output {
type filter hook output priority 0; policy drop;
oif "lo" accept
oif "lan" meta l4proto ipv6-icmp counter packets 0 bytes 0 accept
oif "lan" ct state established,related,new counter packets 0 bytes 0
accept
}
Pinging ipv6 addresses external to the network is working fine.
Pinging a local machine, doesn't matter in which lan, I get "ping
sendmsg: operation not permitted".
If I change policy to accept, I get
From 2a01:YYY:ZZZ:10::4 icmp_seq=1 Destination unreachable: Address
unreachable
If I switch to ip6tables
96 10892 ACCEPT icmpv6 lan * ::/0
2a01:729:16e:10::4
6 1008 ACCEPT icmpv6 lan * ::/0
::/0 ipv6-icmptype 134 HL match HL == 255
31 2232 ACCEPT icmpv6 lan * ::/0
::/0 ipv6-icmptype 135 HL match HL == 255
39 2496 ACCEPT icmpv6 lan * ::/0
::/0 ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT icmpv6 lan * ::/0
::/0 ipv6-icmptype 137 HL match HL == 255
I can ping machines from both lan.
Any clue ?
--
Daniel
TOOTAi Networks
