Arch Linux

Description:

The default configuration (/etc/nftables.conf) that comes with the package fails to reject incoming IPv6 traffic. The line at fault is 26, "reject with icmp type port-unreachable". Rejecting with "icmp" only applies to IPv4 packages; matching IPv6 traffic as well would require "icmpx" (see https://wiki.nftables.org/wiki-nftables/index.php/Rejecting_traffic). I suggest changing the line to a simple "reject", which seems to be equivalent to "reject with icmpx type port-unreachable", thus rejecting both IPv4 and IPv6 traffic. Also, I propose to add "policy drop;" to the chain in order to mitigate the impact of similar errors in the future.


Additional info:
* tested with nftables 1:0.7-2
* affected configuration file /etc/nftables.conf is maintained by Arch: https://git.archlinux.org/svntogit/packages.git/tree/trunk/nftables.conf?h=packages/nftables


Steps to reproduce:

With a fresh install of package nftables, run "systemctl start nftables" followed by "nc -6 -lp 5000" (requires openbsd-netcat). Then, using another machine, verify that you can connect to the host on TCP port 5000 using IPv6: "nc -6 -v <IPv6 address of host> 5000". Desired behavior would be ICMPv6 port unreachable, actual behavior is a successful connection.