Le 08/10/2016 à 20:09, Florian Pelgrim a écrit :
$ ip route get 2404:6800:400a:800::1012
2404:6800:400a:800::1012 from :: via fe80::1 dev eth0 src
fe80::d481:11ff:feee:4908 metric 0
This does not look like a correct setup to me, unless the router
performs source NAT (yuck!). A link local source address cannot be used
to send packets beyond the link.
So why is conntrack ignoring my icmpv6 traffic?
Conntrack does not ignore all ICMPv6 traffic. Only some ICMPv6 types are
not tracked because they use multicast which is hard to track. Such
types include part of the NDP protocol (neighbour discovery) : Neighbour
Solicitation, Neighbour Advertisement, Router Solicitation, Router
Advertisement, and a few others. They have the UNTRACKED state.
Blocking NDP on a broadcast interface breaks IPv6 connectivity.
Other usual ICMPv6 types such as Echo Request/Reply and error messages
(Destination Unreachable, Packet Too Big, Parameter Problem...) are
tracked as usual.