My nftables.conf
simply runs flush ruleset
then include
s my firewall rules. I’ve copied them from the Arch wiki. So the included firewall.rules
contains:
# An iptables-like firewall
table firewall {
chain incoming {
type filter hook input priority 0;
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# icmp
icmp type echo-request accept
# open tcp ports
tcp dport {http, https, ...} accept
# open udp ports
udp dport {...} accept
# drop everything else
drop
}
}
table ip6 firewall {
chain incoming {
type filter hook input priority 0;
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# icmp
icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query} accept
# open tcp ports
tcp dport {http, https, ....} accept
# open udp ports
udp dport {...} accept
# drop everything else
drop
}
}
So when everything is loaded I can’t use IPv6, ping6
errors with
From ams16s21-in-x0e.1e100.net icmp_seq=1 Destination unreachable: Address unreachable
However, if I run sudo nft flush table ip6 firewall
, ping6
immediately starts working as expected. If I then re-establish the ip6 firewall table, IPv6 connectivity doesn’t fail immediately, but waiting a few minutes I find the ping6
command returning the aforementioned error.
My hosting provider doesn’t provide any IPv6 auto-configuration or router-advertisements at the network level fwiw.
Anyone seen anything like this before?
Best Answer
I would guess you have broken neigbour discovery. Initially things keep working because you already have things in the neighbour discovery cache but later the entries time out.
You appear to be allowing neighbour solicit messages but not neighbour advertisement messages.