Comment # 12
on bug 1099698
from Jiri Slaby
Now I have:
> 6 624 ACCEPT icmpv6 * * ::/0 ::/0 ctstate NEW
The problem is that only few icmpv6 traffic is managed by conntrack. Hence,
packets with the UNTRACKED state are dropped unless I add a custom rule '-p
icmpv6 -j ACCEPT' (with no ctstate checking):
> $ ip6tables -L -vn|grep icmpv6
> 26 1800 LOG icmpv6 * * ::/0 ::/0 ctstate UNTRACKED LOG flags 0 level 4 prefix "XXUNTR"
> 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate NEW LOG flags 0 level 4 prefix "XXNEW"
> 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate RELATED LOG flags 0 level 4 prefix "XXRELA"
> 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate ESTABLISHED LOG flags 0 level 4 prefix "XXESTE"
> 0 0 LOG icmpv6 * * ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "XXINVA"
> 6 624 ACCEPT icmpv6 * * ::/0 ::/0 ctstate NEW
> 195 13736 ACCEPT icmpv6 * * ::/0 ::/0