This works (i.e. ipv4 and ipv6 connectivity)
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
}
}
This cuts ipv6 connectivity entirely (ipv4 connectivity works)
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid,untracked drop
}
}
It reproduces on each toggle: ct state invalid,untracked drop <-> ct
state invalid drop (ct db/cache needs to clear in between toggling).
Enabled logging but nothing been printed that would provide a hint.
Is this something to be expected, and if so why, or is it a bug in
kernel / nft?
