Le 30/10/2019 à 18:18, Florian Westphal a écrit :
Daniel Huhardeaux <tech@xxxxxxxxxx> wrote:
Hello,
I use nftables in a network where stations are under Ubuntu 18 or Debian
9/10.
IPv6 networks are:
2a01:YYY:ZZZ:10::9000/128
2a01:YYY:ZZZ:10::/64
ICMP rules on 2a01:YYY:ZZZ:10::4
chain output {
type filter hook output priority 0; policy drop;
oif "lo" accept
oif "lan" meta l4proto ipv6-icmp counter packets 0 bytes 0 accept
oif "lan" ct state established,related,new counter packets 0 bytes 0
accept
}
Pinging ipv6 addresses external to the network is working fine.
Pinging a local machine, doesn't matter in which lan, I get "ping sendmsg:
operation not permitted".
If I change policy to accept, I get
From 2a01:YYY:ZZZ:10::4 icmp_seq=1 Destination unreachable: Address
unreachable
If I switch to ip6tables
96 10892 ACCEPT icmpv6 lan * ::/0 2a01:729:16e:10::4
6 1008 ACCEPT icmpv6 lan * ::/0 ::/0
ipv6-icmptype 134 HL match HL == 255
31 2232 ACCEPT icmpv6 lan * ::/0 ::/0
ipv6-icmptype 135 HL match HL == 255
39 2496 ACCEPT icmpv6 lan * ::/0 ::/0
ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT icmpv6 lan * ::/0 ::/0
ipv6-icmptype 137 HL match HL == 255
I can ping machines from both lan.
Any clue ?
It looks like nft ruleset tests output, whereas ip6tables checks
input...
My bad, I paste the wrong output :(
Anyway, I found the problem: flushing ip6tables rules is not enough to
disable ip6tables, you have to unload modules too. All nftables machines
where rebooted and now all is good.
Thanks for your help
--
TOOTAi Networks
