[nftables 0.9.2 | kernel 4.19.93] dropping ct state untracked stops ipv6 connectivity

[nftables 0.9.2 | kernel 4.19.93] dropping ct state untracked stops ipv6 connectivity

[ѽ҉ᶬḳ℠]

This works (i.e. ipv4 and ipv6 connectivity)

table inet filter {
         chain input {
                 type filter hook input priority filter; policy drop;
                 ct state established,related accept
                 ct state invalid drop
         }

}

This cuts ipv6 connectivity entirely (ipv4 connectivity works)

table inet filter {
         chain input {
                 type filter hook input priority filter; policy drop;
                 ct state established,related accept
                 ct state invalid,untracked drop
         }

}


It reproduces on each toggle: ct state invalid,untracked drop <-> ct 
state invalid drop (ct db/cache needs to clear in between toggling).
Enabled logging but nothing been printed that would provide a hint.

Is this something to be expected, and if so why, or is it a bug in 
kernel / nft?

Re: [nftables 0.9.2 | kernel 4.19.93] dropping ct state untracked stops ipv6 connectivity

[Florian Westphal]

ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> This works (i.e. ipv4 and ipv6 connectivity)
> 
> table inet filter {
>         chain input {
>                 type filter hook input priority filter; policy drop;
>                 ct state established,related accept
>                 ct state invalid drop
>         }
> 
> }
> 
> This cuts ipv6 connectivity entirely (ipv4 connectivity works)
> 
> table inet filter {
>         chain input {
>                 type filter hook input priority filter; policy drop;
>                 ct state established,related accept
>                 ct state invalid,untracked drop

Yes.

> It reproduces on each toggle: ct state invalid,untracked drop <-> ct state
> invalid drop (ct db/cache needs to clear in between toggling).
> Enabled logging but nothing been printed that would provide a hint.
> 
> Is this something to be expected, and if so why, or is it a bug in kernel /
> nft?

Expected, conntrack marks icmpv6 neigh resolution as untracked.

Re: [nftables 0.9.2 | kernel 4.19.93] dropping ct state untracked stops ipv6 connectivity

[ѽ҉ᶬḳ℠]

On 18/03/2020 12:07, Florian Westphal wrote:
> ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
>> This works (i.e. ipv4 and ipv6 connectivity)
>>
>> table inet filter {
>>          chain input {
>>                  type filter hook input priority filter; policy drop;
>>                  ct state established,related accept
>>                  ct state invalid drop
>>          }
>>
>> }
>>
>> This cuts ipv6 connectivity entirely (ipv4 connectivity works)
>>
>> table inet filter {
>>          chain input {
>>                  type filter hook input priority filter; policy drop;
>>                  ct state established,related accept
>>                  ct state invalid,untracked drop
> Yes.
>
>> It reproduces on each toggle: ct state invalid,untracked drop <-> ct state
>> invalid drop (ct db/cache needs to clear in between toggling).
>> Enabled logging but nothing been printed that would provide a hint.
>>
>> Is this something to be expected, and if so why, or is it a bug in kernel /
>> nft?
> Expected, conntrack marks icmpv6 neigh resolution as untracked.


Thanks for the instant feedback. Might be worth to mention in wiki/man.

That is one protocol (icmpv6 neigh resolution) being untracked but that
implies that NFT is then subsequently blocking the source ipv6 entirely?
It is not even possible to reach a ssh server that runs on the NFT instance.

Re: [nftables 0.9.2 | kernel 4.19.93] dropping ct state untracked stops ipv6 connectivity

[Florian Westphal]

ѽ҉ᶬḳ℠ <vtol@gmx.net> wrote:
> That is one protocol (icmpv6 neigh resolution) being untracked but that
> implies that NFT is then subsequently blocking the source ipv6 entirely?

Its the same effect as dropping ipv4 arp packets with arptables,
stack won't be able to figure out which ethernet address to use to send
the packet to.