1) I have two virtual machines with interfaces on the same link: A) fe80::5054:ff:fe09:e0b9/64 B) fe80::5054:ff:fe80:d951/64 2) I set up IPv6 packet filter on A with ip6tables: # ip6tables -F # ip6tables -A INPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp6-adm-prohibited # ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited 3) ping6 B from A: # ping6 -I eth2 fe80::5054:ff:fe80:d951 PING fe80::5054:ff:fe80:d951(fe80::5054:ff:fe80:d951) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes 64 bytes from fe80::5054:ff:fe80:d951: icmp_seq=1 ttl=64 time=0.265 ms <OK> 4) ping6 'all nodes' from A: # ping6 -I eth2 ff02::1 PING ff02::1(ff02::1) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes <reply is rejected> 5) remove the first line from ip6tables # ip6tables -D INPUT 1 6 ping6 'all nodes' from A: # ping6 -I eth2 ff02::1 PING ff02::1(ff02::1) from fe80::5054:ff:fe09:e0b9 eth2: 56 data bytes 64 bytes from fe80::5054:ff:fe09:e0b9: icmp_seq=1 ttl=64 time=0.072 ms 64 bytes from fe80::5054:ff:fe80:d951: icmp_seq=1 ttl=64 time=0.318 ms (DUP!) <OK>
Created attachment 572041 [details] Packet dump from machine A where you can see step (3) and (4).
The packet dump is from machine B.
can you post this to netdev.org ? Interacting directly with the networking maintainers is probably going to get this fixed a lot faster than me acting as middle-man.
I reported this to netfilter AT vger.kernel.org couple hours ago but still don't see it on http://www.spinics.net/lists/netfilter/. Anyway we can close this as UPSTREAM I think.
Reopening against firewalld
Fixed upstream in commit: commit f03c76eff658d65392905c357b4af694bbcad07a Author: Thomas Woerner <twoerner> Date: Mon Mar 26 19:51:12 2012 +0200 Removed conntrack --ctstate INVALID check from default ruleset, because it results in ICMP problems (RHBZ#806017). Added conntrack --ctstate NEW matches to all settings for zones. * src/firewall/core/fw_zone.py - added conntrack --ctstate NEW match * src/firewall/core/ipXtables.py - removed conntrack --ctstate INVALID check from default rules
firewalld-0.2.5-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/firewalld-0.2.5-1.fc17
Package firewalld-0.2.5-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing firewalld-0.2.5-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-6323/firewalld-0.2.5-1.fc17 then log in and leave karma (feedback).
firewalld-0.2.5-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Jiri Popelka from comment #4) > I reported this to netfilter AT vger.kernel.org For record: http://marc.info/?l=netfilter&m=133252802204019&w=2