ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
> This works (i.e. ipv4 and ipv6 connectivity)
>
> table inet filter {
> chain input {
> type filter hook input priority filter; policy drop;
> ct state established,related accept
> ct state invalid drop
> }
>
> }
>
> This cuts ipv6 connectivity entirely (ipv4 connectivity works)
>
> table inet filter {
> chain input {
> type filter hook input priority filter; policy drop;
> ct state established,related accept
> ct state invalid,untracked drop
Yes.
> It reproduces on each toggle: ct state invalid,untracked drop <-> ct state
> invalid drop (ct db/cache needs to clear in between toggling).
> Enabled logging but nothing been printed that would provide a hint.
>
> Is this something to be expected, and if so why, or is it a bug in kernel /
> nft?
Expected, conntrack marks icmpv6 neigh resolution as untracked.
