On Tue, 2 Apr 2024 12:06:21 +0200 Pablo Neira Ayuso wrote: > What iptables version are you using? # iptables -V iptables v1.8.9 (nf_tables) > $ ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type > destination-unreachable nft 'insert rule ip6 filter INPUT icmpv6 type destination-unreachable counter' What you show works for me too, but e.g. this does not: # ip6tables-translate -I INPUT -m icmpv6 --icmpv6-type ttl-zero-during-transit nft # -I INPUT -m icmpv6 --icmpv6-type ttl-zero-during-transit If you replace 'ip6tables' with 'ip6tables-translate' in the RFC example and run the whole script you will see the rest which don't translate. > What bug? For example, in section "TIME EXCEEDED ERROR MESSAGES", right after the comment saying: # Allow incoming time exceeded code 0 messages # only for existing sessions the actual rules handle 'packet-too-big' (type 2), not 'time-exceeded' (type 3) with code 0, as recommended in section 4.3.1 and as it claims. The 'else' condition right after it does not do what it should either. As a result, type 3 (which is in the "must" section 4.3.1) seems not handled anywhere. There is also some meaningless code, e.g. the loop around the 'bad-header'. Etc.