IPv6 connectivity broken by default IPv6 firewall rules

Hello,

the default IPv6 firewalls of SystemrescueCD 6 only enables the IPv6 ICMP echo request packets on INPUT:

[root@sysresccd ~]# ip6tables-save
# Generated by ip6tables-save v1.8.4 on Sun Apr 26 12:20:47 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [70:4704]
:LOGDROP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -j LOGDROP
-A LOGDROP -m limit --limit 10/sec -j LOG --log-prefix "iptables-dropped: "
-A LOGDROP -j DROP
COMMIT

This results in broken IPv6, as none of the following messages pass the firewall:

• Type 134 - Router Advertisement
• Type 135 - Neighbor Solicitation
• Type 136 - Neighbor Advertisement

This also means that any dynamic IPv6 configuration, which depends on router advertisements, will not work.

In addition to that, these messages are filtered:

• Type 1 - Destination Unreachable
• Type 2 - Packet Too Big
• Type 3 - Time Exceeded
• Type 4 - Parameter Problem
• Type 137 - Redirect Message

which means that error messages sent by other hosts in the Internet never reach the applications running on SystemrescueCD.

This is a result of excessive ICMPv6 filtering policy.

Please adjust the IPv6 filtering policy by either removing --icmpv6-type 128 -m conntrack --ctstate NEW from the single rule, or add more rules to allow the other ICMPv6 types (e.g. allow all messages with Types 134 to 136 sourced from fe80::/64 and/or destined to ff00::/8).

Thank you.