Hello everyone, this is my first post on this forum so be nice and point out to me if I'm doing something wrong.
I think there is a bug in the kernel 6.8.12-2-pve where icmpv6 Neighbor solicitations packets are dropped if there is the following rule in iptables:
If iptables is empty everything works as expected, but as soon as I add this rules, the Neighbor solicitations packets are dropped. The packets arrive at the interfaces as shown by tcpdump and if I add a LOG rule before the DROP one the kernel logs the packets.
I downgraded the kernel to the 6.8.4-2-pve and everything works.
This was hard to debug as only neighbor solicitation are dropped. So if another hosts has already the pve in his neighbor everything works for a bit, and then stop when the cache expires.
If more information are needed to reproduce the bug I am happy to provide them.
I think there is a bug in the kernel 6.8.12-2-pve where icmpv6 Neighbor solicitations packets are dropped if there is the following rule in iptables:
Bash:
ip6tables -I INPUT -m conntrack --ctstate INVALID -j DROPIf iptables is empty everything works as expected, but as soon as I add this rules, the Neighbor solicitations packets are dropped. The packets arrive at the interfaces as shown by tcpdump and if I add a LOG rule before the DROP one the kernel logs the packets.
I downgraded the kernel to the 6.8.4-2-pve and everything works.
This was hard to debug as only neighbor solicitation are dropped. So if another hosts has already the pve in his neighbor everything works for a bit, and then stop when the cache expires.
If more information are needed to reproduce the bug I am happy to provide them.