On Wed, 9 Oct 2024 10:46:34 +0200 Daniel <tech@xxxxxxxxxx> wrote: > > Le 09/10/2024 à 10:11, Carl Lei a écrit : > > On Wed, 9 Oct 2024 09:50:22 +0200 > > Daniel<tech@xxxxxxxxxx> wrote: > > > >> Le 08/10/2024 à 22:28, Kevin P. Fleming a écrit : > >>> On Tue, Oct 8, 2024, at 16:08, Martin Brampton wrote: > >>>> chain output { > >>>> type filter hook output priority filter; > >>>> policy drop; ct state { established, related } accept > >>>> ip protocol icmp icmp type echo-request accept > >>>> ip protocol icmp icmp type echo-request ip > >>>> daddr 127.0.0.1 accept > >>>> icmpv6 type echo-request accept > >>>> ip protocol { tcp, udp } th dport 53 accept > >>>> tcp dport 123 accept > >>>> tcp dport { 80, 443 } accept > >>>> tcp dport { 25, 465, 587, 993, 995, 4190 } > >>>> accept } > >>> What happens if you change this policy to 'accept', and make no > >>> other changes? > >> Or simply add new in state > >> > >> ct state { established, related, new } accept > > IIRC many NDP packets have ct state = untracked, so you are > > proposing to accept all TCP+UDP connections and still having broken > > IPv6. > Well, from my understanding, policy accept does the same Well, if you meant to keep policy=drop and to add ctstate=new -> accept, it won't accept untracked NDP packets, so not going to work. Also IIRC assigning NDP packets state=untracked may be a recent kernel change, so results may vary between kernel versions.