I can successfully enable ping for IPv6 using this rule: nft add rule ip6 filter input ip6 nexthdr icmpv6 counter limit rate 5/second accept I have one physical ethernet card which is assigned five IPv6 addresses. What I want to do is enable it for only 2 of 5 IPv6 addresses, like so: nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::5 ip6 nexthdr icmpv6 counter limit rate 5/second accept nft add rule ip6 filter input ip6 daddr xxxx:43:a:83::6 ip6 nexthdr icmpv6 counter limit rate 5/second accept ...but what happens is that the first IPv6 will work, but not the second. If I reverse the order, sometimes the second rule still works but now the first doesn't. I've tried using sets like so: nft add rule ip6 filter input ip6 daddr @trusted ip6 nexthdr icmpv6 counter limit rate 5/second accept nft add rule ip6 filter input ip6 daddr @admin ip6 nexthdr icmpv6 counter limit rate 5/second accept ... with the same result: the second rule is ignored. What am I doing wrong? Is there something about ICMP and multiple IP addresses on one interface that I'm not aware of? How do I write multiple rules that each enable one daddr?