ICMPv6 and the conntrack table

[Florian Pelgrim]

Hi,

I'm currently playing with ip6tables and seeing some strange stuff which
I not expected.
I configure my servers with Ansible which is able to lookup my default
IPv6 address. Therefore it uses `ip route get 2404:6800:400a:800::1012`
and parses the output.
Currently there is no IPv6 configured on the system so the default v6
address should be a link local address.

This is the expected result without a firewall:
$ ip route get 2404:6800:400a:800::1012
2404:6800:400a:800::1012 from :: via fe80::1 dev eth0  src
fe80::d481:11ff:feee:4908  metric 0
    cache  hoplimit 64

Now I setup some basic ip6tables firewall settings.
1. Set the policy to drop
2. Allow everything, input and output, on loopback
3. Allow related and established connections for input and output
4. Allow every icmpv6 package with the flag new

$ ip6tables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      ::/0                 ::/0
ACCEPT     all      ::/0                 ::/0                 state
RELATED,ESTABLISHED
ACCEPT     icmpv6    ::/0                 ::/0                 state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      ::/0                 ::/0
ACCEPT     all      ::/0                 ::/0                 state
RELATED,ESTABLISHED
ACCEPT     icmpv6    ::/0                 ::/0                 state NEW

So far I thought this would work but what I get when I try to lookup now
my default IPv6 address is this:

$ ip route get 2404:6800:400a:800::1012
unreachable 2404:6800:400a:800::1012 from :: dev lo  table unspec  proto
kernel  src fe80::d481:11ff:feee:4908  metric 4294967295  error -101

I played some time with different rules and added a new rule for icmpv6
without the state flag. And there it works again.
Uh? So lets look this up in conntrack. The results are pretty low...
There is nothing to see. No v6 package in any state.

So why is conntrack ignoring my icmpv6 traffic?

And another question is how can I flush the cached results from `ip
route get`? `ip route cache flush` is not working since I guess they
changed the caching in kernel version 3.6.

OS details:
$ uname -a
Linux mail 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03)
x86_64 GNU/Linux

$ dpkg-query -f "Package" -l iptables linux-image-* conntrack
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                   Version
+++-======================================-=================
ii  conntrack                              1:1.4.2-2+deb8u1
ii  iptables                               1.4.21-2+b1
ii  linux-image-3.16.0-4-amd64             3.16.36-1+deb8u1
ii  linux-image-amd64                      3.16+63

Cheers
Florian

signature.asc
Description: OpenPGP digital signature