Note to self. IPv6 connection tracking is a bit eccentric.
Seems that neighbour solicitations are "INVALID" according to conntrack. I.e. IPv6's equivalent of arp requests are invalid ... and dropped if you have a "-m state --state INVALID -j DROP" rule before your accept-various-icmpv6 rules.
This does great things for my host security, obviously.
workaround: put --state INVALID drops after the icmpv6 rules.
Monday, 15 June 2009
Subscribe to:
Posts (Atom)