我nftables.conf只是运行flush ruleset我include的防火墙规则。我从 Arch wiki 复制了它们。所以包含的firewall.rules内容包括:
# An iptables-like firewall
table firewall {
chain incoming {
type filter hook input priority 0;
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# icmp
icmp type echo-request accept
# open tcp ports
tcp dport {http, https, ...} accept
# open udp ports
udp dport {...} accept
# drop everything else
drop
}
}
table ip6 firewall {
chain incoming {
type filter hook input priority 0;
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# icmp
icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query} accept
# open tcp ports
tcp dport {http, https, ....} accept
# open udp ports
udp dport {...} accept
# drop everything else
drop
}
}
因此,当所有内容都加载完毕后,我无法使用 IPv6,ping6出现错误
From ams16s21-in-x0e.1e100.net icmp_seq=1 Destination unreachable: Address unreachable
但是,如果我运行sudo nft flush table ip6 firewall,ping6立即开始按预期工作。如果我然后重新建立 ip6 防火墙表,IPv6 连接不会立即失败,但等待几分钟我发现ping6命令返回上述错误。
我的托管服务提供商没有在网络级别提供任何 IPv6 自动配置或路由器广告。
以前有人见过这样的事情吗?
