I have configured my nftable with
table inet firewall {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid counter packets 0 bytes 0 drop comment "early drop of invalid packets"
ct state established,related accept comment "accept all connections related to connections made by us"
ct helper "ftp" accept
iifname "lo" counter packets 63 bytes 3760 accept comment "accept loopback"
iifname "lo" ip saddr != 127.0.0.0/8 drop
iifname "lo" ip6 saddr != ::1 drop
ip protocol icmp counter packets 0 bytes 0 accept comment "accept all ICMP types"
meta l4proto ipv6-icmp accept comment "Accept ICMPv6"
jump input-inetd
jump output-inetd
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related,new accept
iifname "br0" counter packets 250 bytes 22684 accept comment "forwarding only on bridge"
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" counter packets 63 bytes 3760 accept comment "accept loopback"
oifname "lo" ip daddr != 127.0.0.0/8 drop
oifname "lo" ip6 daddr != ::1 drop
}
chain input-inetd {
tcp dport 21 accept
tcp dport 23 accept
}
chain output-inetd {
tcp dport 20 accept
}
}
Normal operation looks fine, but if I look at dhclient -6 I see
XMT: Forming Rebind, 606790 ms elapsed.
XMT: X-- IA_NA 1e:dd:f2:18
XMT: | X-- Requested renew +3600
XMT: | X-- Requested rebind +5400
XMT: | | X-- IAADDR 2a00:6020:500b:ef00:f6e1:1eff:fedd:f218
XMT: | | | X-- Preferred lifetime +7200
XMT: | | | X-- Max lifetime +7500
XMT: V IA_NA appended.
XMT: Rebind on br0, interval 585450ms.
but did not see any Advertise message (RCV). What is wrong with my configuration?
When I turn nft off, it works fine with my Fritz box. So it looks to me like something is misconfigured.
I hope someone can help me - thanks
Try adding this to your input chain
meta l4proto ipv6-icmp accept
meta l4proto icmp accept
meta l4proto igmp accept
ip6 ecn not-ect accept
instead of
meta l4proto ipv6-icmp accept comment "Accept ICMPv6"
and reboot.