On Mon, May 01, 2023 at 09:58:52PM +0800, Rvfg wrote:
> Hi. I recently upgraded to 6.3 kernel and I noticed my nftables starts
> dropping incoming ipv6 router advertisement packets. Here is my input
> chains:
>
> |chain input {||
> || type filter hook input priority filter; policy drop;||
> || iifname "lo" accept comment "trusted interfaces"||
> || ct state vmap { invalid : drop, established : accept, related :
> accept, * : jump input-allow }||
> ||}||
> ||
> ||chain input-allow {||
> || meta l4proto ipv6-icmp meta nftrace set 1||
> || tcp dport { 22, 22000 } accept||
> || udp dport { 21027, 22000 } accept||
> || icmp type echo-request limit rate 20/second accept comment "allow
> ping"||
> || icmpv6 type != { nd-redirect, 139 } accept||
> || ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"||
> ||}|
>
> This setup used to work fine. But now RA packets never go through the
> input-allow chain (not show up in nftrace). Something must be wrong in the
> "ct state vmap" rule. I'm able to work around this by adding a "jump
> input-allow" rule at the ending of "chain input".
>
> I found https://github.com/torvalds/linux/commit/d9e7891476057b24a1acbf10a491e5b9a1c4ae77
> might be relevant (not tested yet). I'm not very familiar with the kernel.
> But the return NFT_BREAK in nft_ct_fast.c caught my eye. Is this the cause?
I don't see anything bad with this patch.
Did you enable conntrack logging to understand why conntrack is
marking your packets as invalid?
# sh -c 'echo 58 > /proc/sys/net/netfilter/nf_conntrack_log_invalid'
where 58 is ICMPv6.
