Since drop_invalid has been turned on by default, ICMPv6 echo requests to well-known multicast addresses, such as ff02::1, are not replied to by the router anymore, because conntrack considers those outgoing reply packets to be invalid.
Fix this by not having the INVALID rule in the OUTPUT chain match IPv6 packets destined to link-local addresses (fe80::/10). Signed-off-by: Vittorio Gambaletta <[email protected]> --- --- a/defaults.c +++ b/defaults.c @@ -222,6 +222,16 @@ fw3_print_default_head_rules(struct fw3_ if (defs->drop_invalid) { r = fw3_ipt_rule_new(handle); + if (i == 2 && handle->family == FW3_FAMILY_V6) { + struct fw3_address mcdst = { + .set = true, + .invert = true, + .family = FW3_FAMILY_V6, + .address.v6.s6_addr = { 0xfe, 0x80 }, + .mask.v6.s6_addr = { 0xff, 0xc0 }, + }; + fw3_ipt_rule_src_dest(r, NULL, &mcdst); + } fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID"); fw3_ipt_rule_target(r, "DROP"); fw3_ipt_rule_append(r, chains[i]); _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
