The default rules are added by security.ipv6_filtering:
nft -a list chain bridge incus in.test.eth0
table bridge incus {
chain in.test.eth0 { # handle 126
type filter hook input priority filter; policy accept;
iifname "vethe5690360" ether saddr != 10:66:6a:a2:95:3c drop # handle 128
iifname "vethe5690360" arp saddr ether != 10:66:6a:a2:95:3c drop # handle 129
iifname "vethe5690360" icmpv6 type nd-neighbor-advert @nh,528,48 != 0x10666aa2953c drop # handle 130
iifname "vethe5690360" ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport 67 accept # handle 131
iifname "vethe5690360" arp saddr ip != 10.38.58.3 drop # handle 132
iifname "vethe5690360" ip saddr != 10.38.58.3 drop # handle 133
iifname "vethe5690360" ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp dport 547 accept # handle 134
iifname "vethe5690360" ip6 saddr fe80::/10 ip6 daddr ff02::2 icmpv6 type nd-router-solicit accept # handle 135
iifname "vethe5690360" icmpv6 type nd-router-advert drop # handle 136
iifname "vethe5690360" icmpv6 type nd-neighbor-advert @nh,384,128 != 0x26075300006084010000000000000003 drop # handle 137
iifname "vethe5690360" ip6 saddr != 2607:5300:60:8401::3 drop # handle 138
iifname "vethe5690360" ether type != { ip, arp, ip6 } drop # handle 140
}
}
delete and add new rules:
nft delete rule bridge incus in.test.eth0 handle 134
nft insert rule bridge incus in.test.eth0 position 135 iifname "vethe5690360" ip6 saddr fe80::/10 ip6
daddr ff02::1:2 accept
current rules:
nft -a list chain bridge incus in.test.eth0
table bridge incus {
chain in.test.eth0 { # handle 126
type filter hook input priority filter; policy accept;
iifname "vethe5690360" ether saddr != 10:66:6a:a2:95:3c drop # handle 128
iifname "vethe5690360" arp saddr ether != 10:66:6a:a2:95:3c drop # handle 129
iifname "vethe5690360" icmpv6 type nd-neighbor-advert @nh,528,48 != 0x10666aa2953c drop # handle 130
iifname "vethe5690360" ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport 67 accept # handle 131
iifname "vethe5690360" arp saddr ip != 10.38.58.3 drop # handle 132
iifname "vethe5690360" ip saddr != 10.38.58.3 drop # handle 133
iifname "vethe5690360" ip6 saddr fe80::/10 ip6 daddr ff02::1:2 accept # handle 152
iifname "vethe5690360" ip6 saddr fe80::/10 ip6 daddr ff02::2 icmpv6 type nd-router-solicit accept # handle 135
iifname "vethe5690360" icmpv6 type nd-router-advert drop # handle 136
iifname "vethe5690360" icmpv6 type nd-neighbor-advert @nh,384,128 != 0x26075300006084010000000000000003 drop # handle 137
iifname "vethe5690360" ip6 saddr != 2607:5300:60:8401::3 drop # handle 138
iifname "vethe5690360" ether type != { ip, arp, ip6 } drop # handle 140
}
}
By the way, I have already disabled UDP Checksum Offloading.
tcpdump:
tcpdump -i incusbr0 -n -e -vvv port 546 or port 547
tcpdump: listening on incusbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:42:27.227200 10:66:6a:a2:95:3c > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 152: (flowlabel 0x5ef3f, hlim 1, next-header UDP (17) payload length: 98) fe80::1266:6aff:fea2:953c.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=5b6010 (rapid-commit) (IA_NA IAID:2186565111 T1:0 T2:0) (IA_PD IAID:2186565111 T1:0 T2:0) (Client-FQDN) (option-request DNS-server SNTP-servers NTP-server opt_82 opt_103 opt_144) (client-ID enterprise 43793 5d59b28d559f75d3) (elapsed-time 65535))
19:44:24.230161 10:66:6a:a2:95:3c > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 152: (flowlabel 0x5ef3f, hlim 1, next-header UDP (17) payload length: 98) fe80::1266:6aff:fea2:953c.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=5b6010 (rapid-commit) (IA_NA IAID:2186565111 T1:0 T2:0) (IA_PD IAID:2186565111 T1:0 T2:0) (Client-FQDN) (option-request DNS-server SNTP-servers NTP-server opt_82 opt_103 opt_144) (client-ID enterprise 43793 5d59b28d559f75d3) (elapsed-time 65535))
19:46:13.360440 10:66:6a:a2:95:3c > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 152: (flowlabel 0x5ef3f, hlim 1, next-header UDP (17) payload length: 98) fe80::1266:6aff:fea2:953c.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=5b6010 (rapid-commit) (IA_NA IAID:2186565111 T1:0 T2:0) (IA_PD IAID:2186565111 T1:0 T2:0) (Client-FQDN) (option-request DNS-server SNTP-servers NTP-server opt_82 opt_103 opt_144) (client-ID enterprise 43793 5d59b28d559f75d3) (elapsed-time 65535))
19:48:03.760747 10:66:6a:a2:95:3c > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 152: (flowlabel 0x5ef3f, hlim 1, next-header UDP (17) payload length: 98) fe80::1266:6aff:fea2:953c.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=5b6010 (rapid-commit) (IA_NA IAID:2186565111 T1:0 T2:0) (IA_PD IAID:2186565111 T1:0 T2:0) (Client-FQDN) (option-request DNS-server SNTP-servers NTP-server opt_82 opt_103 opt_144) (client-ID enterprise 43793 5d59b28d559f75d3) (elapsed-time 65535))
19:50:01.207355 10:66:6a:a2:95:3c > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 152: (flowlabel 0x5ef3f, hlim 1, next-header UDP (17) payload length: 98) fe80::1266:6aff:fea2:953c.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=5b6010 (rapid-commit) (IA_NA IAID:2186565111 T1:0 T2:0) (IA_PD IAID:2186565111 T1:0 T2:0) (Client-FQDN) (option-request DNS-server SNTP-servers NTP-server opt_82 opt_103 opt_144) (client-ID enterprise 43793 5d59b28d559f75d3) (elapsed-time 65535))
Additionally, I specifically used another server today with a fresh installation of Debian 12. I installed Incus on this system and was able to reproduce the issue. Therefore, I believe this is a bug in Incus.
This is utterly torturous. I’ve already wasted several days on this issue and I’m completely exhausted. As an alternative, I could change the DHCPv6 lease time to a very large value, like 10 years, to prevent the virtual machines from losing their IPv6 addresses. Alternatively, I could use ndppd on the host machine to proxy the entire /64 IPv6 subnet and then use SLAAC to assign addresses to the VMs.