Netfilter can by default not track replies to multicast(/broadcast for IPv4) messages. Thus they are, unless they are explicitely allowed through a stateless rule, not matched by a rule using the conntrack match module. To work around this limitation, I developed a equivalent workaround using ipset and iptables. Theoretically the same can be done with …