ICMPv6 Echo reply to ICMPv6 Echo request sent to IPv6 multicast address is dropped
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
New
|
Undecided
|
Unassigned |
Bug Description
Similarly to what is described in [1], ICMPv6 echo replies are dropped when the request targets a multicast IPv6 address. The offending rule comes from conf/before6.rules:
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
IPv6 multicast addresses such as ff02::2 are useful to discover routers for example.
Somebody suggested in [2] that since the reply does not come from the expected address, the kernel flags it as invalid. Since the ACCEPT rules in conf/before6.rules are sufficient to allow this traffic, a (tested) solution can be to sink the DROP rule to the end of the file, after the ACCEPT ones.
[1] https:/
[2] https:/
UFW version: ufw 0.35
Distribution: Archlinux
I met same issue. /bugs.launchpad .net/ufw/ +bug/720605 . /git.launchpad. net/ufw/ commit/ conf/before6. rules?id= e7050d675d65907 65a30c1d8c2dda1 7494716868 .
And I found Fix Released bug report https:/
But the change removed at https:/
So I want to add following lines again:
```
# for multicast ping replies from link-local addresses (these don't have an
# associated connection and would otherwise be marked INVALID)
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT
```