ufw

ICMPv6 Echo reply to ICMPv6 Echo request sent to IPv6 multicast address is dropped

Bug #1743228 reported by Douglas RAILLARD on 2018-01-14

This bug report is a duplicate of: Bug #1664133: ipv6 multicast pings don't return. Edit Remove

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	ufw	New	Undecided	Unassigned

Bug Description

Similarly to what is described in [1], ICMPv6 echo replies are dropped when the request targets a multicast IPv6 address. The offending rule comes from conf/before6.rules:
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP

IPv6 multicast addresses such as ff02::2 are useful to discover routers for example.

Somebody suggested in [2] that since the reply does not come from the expected address, the kernel flags it as invalid. Since the ACCEPT rules in conf/before6.rules are sufficient to allow this traffic, a (tested) solution can be to sink the DROP rule to the end of the file, after the ACCEPT ones.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=806017
[2] https://www.spinics.net/lists/netfilter/msg52580.html

UFW version: ufw 0.35
Distribution: Archlinux

Revision history for this message

Kazuhiro NISHIYAMA (znz) wrote on 2018-06-19:

I met same issue.
And I found Fix Released bug report https://bugs.launchpad.net/ufw/+bug/720605 .
But the change removed at https://git.launchpad.net/ufw/commit/conf/before6.rules?id=e7050d675d6590765a30c1d8c2dda17494716868 .

So I want to add following lines again:

```
# for multicast ping replies from link-local addresses (these don't have an
# associated connection and would otherwise be marked INVALID)
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT
```

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1664133 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.