Package: nftables
Version: 1.1.6-1+b1
Severity: important
Tags: ipv6
Be aware I'm reporting this bug on host "real" the bug occurs on host "ybox" ,
ybox is network isolated.
I have a setup with an ISP supplied router (fritzbox)
I have a Debian box (ybox) running trixie connected to this via enp2s0, and a
LAN on enp4s0
ybox requests a Prefix Deligation (PD) from fritzbox. This needs to be
regularly renewed.
The INPUT chain includes :
ct state established,related counter packets 2 bytes 226 accept # handle 6
and later :
ip6 saddr fe80::52e6:36ff:fea5:d50f udp sport 547 udp dport 546 counter
packets 1 bytes 246 accept # handle 8
While handle#8 is in place, everything works, a renew is requested and a reply
received and processed. If handle#8 is removed, the PD eventually times out and
the lease is lost
I have terminal output, with timestamps, as well as wireshark trace showing the
point were request/reply breaks down
Most addresses in logs are link local. I've attempted to elide any global IPV6
addresses
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.4
ID=debian
HOME_URL="https://www.debian.org/";
SUPPORT_URL="https://www.debian.org/support";
BUG_REPORT_URL="https://bugs.debian.org/";
$ /sbin/nft -v
nftables v1.1.3 (Commodore Bullmoose #4)
$ cat /proc/version
Linux version 6.12.85+deb13-amd64 ([email protected])
(x86_64-linux-gnu-gcc-14 (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for
Debian) 2.44) #1 SMP PREEMPT_DYNAMIC Debian 6.12.85-1 (2026-04-30)
ii libnftables1:amd64 1.1.3-1 amd64 Netfilter nftables high level
userspace API library
ii libnftnl11:amd64 1.2.9-1 amd64 Netfilter nftables userspace
API library
ii nftables 1.1.3-1 amd64 Program to control packet
filtering rules by Netfilter project
It appears reportbug will not, at this time allow me to attach
"just-dhcpv6.txt" , I will add later.
---------------------------------------------------------
I am using systemd.networkd to configure IPv6. I request a delegation via
PrefixDelegationHint=::/48
and am granted a 57 bit PD by the upstream Fritzbox (fe80::52e6:36ff:fea5:d50f).
This PD will expire unless renewed and to that end my host (ybox) sends DHVPv6
Renew messages upstream
to the fritzbox, it immediately receives a DHCPv6 REPLY which renews the PD.
On ybox, enp2s0 goes UP (to Fritzbox) and enp4s0 goes DOWN to LAN.
I have left this system running for 24+ hours, with wireshark collecting all
ICMPv6 and DHCPv6 on both enp2s0 and enp4s0, it's running fine.
(show-stuff is a small script)
owner@ybox:~$ sudo show-stuff
Sat 2 May 16:09:11 UTC 2026
net.ipv6.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
Firewall ==================================
table inet filter { # handle 3
chain INPUT { # handle 1
type filter hook input priority filter; policy drop;
iif "lo" counter packets 2788 bytes 290678 accept # handle 4
iif "enp4s0" counter packets 438 bytes 74788 accept # handle 5
ct state established,related counter packets 16909 bytes
13342913 accept # handle 6
ip6 saddr fe80::52e6:36ff:fea5:d50f meta l4proto ipv6-icmp
counter packets 1220 bytes 110296 accept # handle 7
ip6 saddr fe80::52e6:36ff:fea5:d50f udp sport 547 udp dport 546
counter packets 53 bytes 12414 accept # handle 8
ip6 saddr fe80::52e6:36ff:fea5:d50f tcp dport 25 counter
packets 0 bytes 0 accept # handle 9
ip saddr 192.168.1.254 tcp dport 25 counter packets 0 bytes 0
accept # handle 10
}
chain FORWARD { # handle 2
type filter hook forward priority filter; policy drop;
ct state established,related counter packets 85 bytes 65480
accept # handle 11
iif "enp4s0" oif "enp2s0" counter packets 92 bytes 7720 accept
# handle 12
ip6 saddr fe80::52e6:36ff:fea5:d50f meta l4proto ipv6-icmp
counter packets 0 bytes 0 accept # handle 13
ip6 saddr fe80::52e6:36ff:fea5:d50f udp sport 547 udp dport 546
counter packets 0 bytes 0 accept # handle 14
}
chain OUTPUT { # handle 3
type filter hook output priority filter; policy accept;
}
}
Routes ====================================
2a02:XXX2:3833::/64 dev enp2s0 proto ra metric 1024 expires 6975sec pref medium
2a02:XXX2:3833:87::/64 dev enp2s0 proto kernel metric 256 expires 6166sec pref
medium
2a02:XXX2:3833:89::/64 dev enp4s0 proto kernel metric 256 expires 6166sec pref
medium
unreachable 2a02:XXX2:3833:80::/57 dev lo proto dhcp metric 1024 pref medium
2a02:XXX2:3833::/48 nhid 4088658661 via fe80::52e6:36ff:fea5:d50f dev enp2s0
proto ra metric 1024 expires 1575sec pref medium
fde4:f713:95b0::/64 dev enp2s0 proto ra metric 1024 expires 6975sec pref medium
fde4:f713:95b0::/64 nhid 4088658661 via fe80::52e6:36ff:fea5:d50f dev enp2s0
proto ra metric 1024 expires 1575sec pref medium
fe80::/64 dev enp2s0 proto kernel metric 256 pref medium
fe80::/64 dev enp4s0 proto kernel metric 256 pref medium
default nhid 4088658661 via fe80::52e6:36ff:fea5:d50f dev enp2s0 proto ra
metric 1024 expires 1575sec pref medium
Addresses =================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 00:e0:0b:31:b0:be brd ff:ff:ff:ff:ff:ff
altname enx00e00b31b0be
inet 192.168.1.152/24 brd 192.168.1.255 scope global enp2s0
valid_lft forever preferred_lft forever
inet 192.168.1.23/24 metric 1024 brd 192.168.1.255 scope global secondary
dynamic enp2s0
valid_lft 774010sec preferred_lft 774010sec
inet6 fde4:f713:95b0::47/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 6976sec preferred_lft 3376sec
inet6 2a02:XXX2:3833::47/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 6976sec preferred_lft 3376sec
inet6 2a02:XXX2:3833:87::45/64 metric 256 scope global dynamic mngtmpaddr
valid_lft 6167sec preferred_lft 2567sec
inet6 fe80::2e0:bff:fe31:b0be/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 00:e0:0b:31:b0:bf brd ff:ff:ff:ff:ff:ff
altname enx00e00b31b0bf
inet 10.117.0.152/24 brd 10.117.0.255 scope global enp4s0
valid_lft forever preferred_lft forever
inet6 2a02:XXX2:3833:89::44/64 metric 256 scope global dynamic mngtmpaddr
valid_lft 6167sec preferred_lft 2567sec
inet6 fe80::152/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::2e0:bff:fe31:b0bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
qlen 1000
link/ether 7c:e9:d3:97:48:53 brd ff:ff:ff:ff:ff:ff
altname wlx7ce9d3974853
Network status =================================
* 2: enp2s0
Link File: /usr/lib/systemd/network/99-default.link
Network File: /etc/systemd/network/10-upper.network
State: routable (configured)
Online state: online
Type: ether
Path: pci-0000:02:00.0
Driver: r8169
Vendor: Realtek Semiconductor Co., Ltd.
Model: RTL8111/8168/8211/8411 PCI Express Gigabit
Ethernet Controller
Alternative Names: enx00e00b31b0be
Hardware Address: 00:e0:0b:31:b0:be (ROOFTOP COMMUNICATIONS CORP.)
MTU: 1500 (min: 68, max: 9194)
QDisc: fq_codel
IPv6 Address Generation Mode: eui64
Number of Queues (Tx/Rx): 1/1
Auto negotiation: yes
Speed: 1Gbps
Duplex: full
Port: tp
Address: 192.168.1.23 (DHCPv4 via 192.168.1.254)
192.168.1.152
2a02:XXX2:3833::47
2a02:XXX2:3833:87::45
fde4:f713:95b0::47
fe80::2e0:bff:fe31:b0be
Gateway: 192.168.1.254
192.168.1.254
fe80::52e6:36ff:fea5:d50f
DNS: 192.168.1.254
8.8.8.8
fde4:f713:95b0:0:52e6:36ff:fea5:d50f
2a02:XXX2:3833:0:52e6:36ff:fea5:d50f
NTP: 192.168.1.254
2a02:XXX2:3833:0:52e6:36ff:fea5:d50f
fde4:f713:95b0:0:52e6:36ff:fea5:d50f
Activation Policy: up
Required For Online: yes
DHCPv4 Client ID: IAID:0x5de26c15/DUID
DHCPv6 Client IAID: 0x5de26c15
DHCPv6 Client DUID: DUID-EN/Vendor:0000ab1178381c5802d1e61b
Connected To: fritz.box (AVM FRITZ!Box 7530 164.08.21) on port
50:e6:36:a5:d5:0f (LAN:2)
May 01 16:09:18 ybox systemd-networkd[415]: enp2s0: Configuring with
/etc/systemd/network/10-upper.network.
May 01 16:09:18 ybox systemd-networkd[415]: enp2s0: Link UP
May 01 16:09:20 ybox systemd-networkd[415]: enp2s0: Gained carrier
May 01 16:09:20 ybox systemd-networkd[415]: enp2s0: DHCPv4 address
192.168.1.23/24, gateway 192.168.1.254 acquired from 192.168.1.254
May 01 16:09:22 ybox systemd-networkd[415]: enp2s0: Gained IPv6LL
May 01 16:09:22 ybox systemd-networkd[415]: enp2s0: DHCP: received delegated
prefix 2a02:XXX2:3833:80::/57
May 01 16:09:22 ybox systemd-networkd[415]: enp2s0: DHCP-PD address
2a02:XXX2:3833:87::45/64 (valid for 1h 59min 59s, preferred for 59min 59s)
Sat 2 May 16:09:11 UTC 2026
Handle#8 is
ip6 saddr fe80::52e6:36ff:fea5:d50f udp sport 547 udp dport 546
counter packets 53 bytes 12414 accept # handle 8
This is to allow ALL DHCPv6 traffic ONLY from fritzbox (I don't want ALL DHCPv6
traffic from the internet to be allowed)
I belive this rule should not be necessary (and is ugly , due to the fixed IP
address) since the only DHVPv6 traffic I need are REPLIES
to requests made by ybox (over enp2s0)
Note that Handle #8 has handled 53 packets. We can see from the wireshark that
the only DHCPv6 traffic is renew/reply
There are 54 packets of DHCPv6.msgtype == "reply" ... two (17:24 on 1st May)
are on enp4s0 (a reply to a solicit)
The other 52 DHCPv6 Replies are all "Identity Association for Prefix
Delegation" giving 2a02:xxxx:xxxx:80::
***************************
I will now delete handle#8
$ sudo nft delete rule inet filter INPUT handle 8 ; date -u
[sudo] password for owner:
Sat 2 May 16:27:47 UTC 2026
$ sudo nft -a list ruleset
table inet filter { # handle 3
chain INPUT { # handle 1
type filter hook input priority filter; policy drop;
iif "lo" counter packets 2805 bytes 292300 accept # handle 4
iif "enp4s0" counter packets 444 bytes 75411 accept # handle 5
ct state established,related counter packets 17017 bytes
13371202 accept # handle 6
ip6 saddr fe80::52e6:36ff:fea5:d50f meta l4proto ipv6-icmp
counter packets 1241 bytes 112048 accept # handle 7
ip6 saddr fe80::52e6:36ff:fea5:d50f tcp dport 25 counter
packets 0 bytes 0 accept # handle 9
ip saddr 192.168.1.254 tcp dport 25 counter packets 0 bytes 0
accept # handle 10
}
chain FORWARD { # handle 2
type filter hook forward priority filter; policy drop;
ct state established,related counter packets 85 bytes 65480
accept # handle 11
iif "enp4s0" oif "enp2s0" counter packets 92 bytes 7720 accept
# handle 12
ip6 saddr fe80::52e6:36ff:fea5:d50f meta l4proto ipv6-icmp
counter packets 0 bytes 0 accept # handle 13
ip6 saddr fe80::52e6:36ff:fea5:d50f udp sport 547 udp dport 546
counter packets 0 bytes 0 accept # handle 14
}
chain OUTPUT { # handle 3
type filter hook output priority filter; policy accept;
}
}
What I expect to now happen is ybox will renew the PD several times, get it's
usual reply but will be blocked by NFT.
Then after failing to get a valid reply to it's renew request, it will start
sending different traffic.
So at 16:27 UTC I delete rule handle#8
Renew/reply continues
@ 17:09 UTC we see the 1st rebind + reply
@ 18:21 UTC we see Solicit + reply
@ 18:21 UTC systemd-networkd reports enp2s0: DHCPv6 lease lost
The file: just-dhcpv6.txt
Contains (annotated) wireshark export with a filter to select only DHCPv6
(search for "***" , to see annotations)
