Le 08/10/2016 à 20:09, Florian Pelgrim a écrit :
$ ip route get 2404:6800:400a:800::1012 2404:6800:400a:800::1012 from :: via fe80::1 dev eth0 src fe80::d481:11ff:feee:4908 metric 0
This does not look like a correct setup to me, unless the router performs source NAT (yuck!). A link local source address cannot be used to send packets beyond the link.
So why is conntrack ignoring my icmpv6 traffic?
Conntrack does not ignore all ICMPv6 traffic. Only some ICMPv6 types are not tracked because they use multicast which is hard to track. Such types include part of the NDP protocol (neighbour discovery) : Neighbour Solicitation, Neighbour Advertisement, Router Solicitation, Router Advertisement, and a few others. They have the UNTRACKED state.
Blocking NDP on a broadcast interface breaks IPv6 connectivity.Other usual ICMPv6 types such as Echo Request/Reply and error messages (Destination Unreachable, Packet Too Big, Parameter Problem...) are tracked as usual.