On 2017/06/22 16:05, Marc Peters wrote: > Am 06/22/17 um 15:30 schrieb Stuart Henderson: > > > > How are your PF rules? Do they allow NDP packets to pass? If you're > > unsure, I would try "pass log inet6 proto icmp6" or similar. > > > > (this might be a bit of a surprise if used to IPv4 where address > > resolution is done by a separate protocol that PF doesn't block). > > > > I don't block any icmp6: > pass inet6 proto icmp6 all > > is already present in my /etc/pf.conf
Are there any other rules which might interfere with this one? This issue feels very much like NDP not getting through in some circumstances. For instance I had problems at an IXP where one peer was sourcing the NDP from an fe80:: address which was getting blocked by a too-restrictive "drop junk packets" type of rule. Everyone else was sending them with a "real" source address which wasn't triggering that rule - it took a while to track down! I would want to be 100% sure of this before digging deeper (e.g. with "match log(matches) proto icmp6" at the top of the ruleset and watching pflog when flushing ndp). I think the step after that would be seeing what you get from nd6 debug messages, either you can build a kernel with the ND6_DEBUG option, or if you can break into DDB, you don't actually need a new kernel, just 'w nd6_debug 1' and 'c' should do the trick - then see what shows up in /var/log/messages.
