[Bug 263288] IPv6 system not responding to Neighbor Solicitation

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 20 Apr 2022 21:08:17 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263288

--- Comment #8 from wcarson.bugzilla@disillusion.net ---
I do have these lines in my pf.conf, which have worked for the past many years
and not changed. (I also double-checked by comparing to a backup from 2020.) 

    icmp6_types="{ 2, 128 }" # packet too big, echo request (ping6)
    # Neighbor Discovery Protocol (NDP) (types 133-137):
    #   Router Solicitation (RS), Router Advertisement (RA)
    #   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
    #   Route Redirection
    icmp6_types_ext_if="{ 128, 133, 134, 135, 136, 137 }"

    pass in quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep
state
    pass in quick on $ext_if inet6 proto ipv6-icmp from any to { $ext_if,
ff02::1/16 } icmp6-type $icmp6_types_ext_if keep state


Additionally, I turned off pf completely (via /etc/rc.conf, pf_enable="NO", and
rebooted) -- no change.

root@roast:~ # pfctl -d
pf disabled
root@roast:~ # ping6 kyoto.disillusion.net
PING6(56=40+8+8 bytes) 2600:3c00::f03c:91ff:feb0:a56f -->
2605:6400:10:968:22:da15:28a6:c800
^C
--- kyoto.disillusion.net ping6 statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
root@roast:~ # date ; ndp -c ; ping6 -c1 -t2 fe80::1%em0 ; ndp -na ; echo ;
ping6 -c1 -t2 fe80::8678:acff:fe1c:ec41%em0 ; ndp -na ;
Wed Apr 20 16:05:40 CDT 2022
fe80::1%em0 (fe80::1%em0) deleted
fe80::8678:acff:fe1c:ec41%em0 (fe80::8678:acff:fe1c:ec41%em0) deleted
fe80::e6c7:22ff:fe10:9cc1%em0 (fe80::e6c7:22ff:fe10:9cc1%em0) deleted
PING6(56=40+8+8 bytes) fe80::f03c:91ff:feb0:a56f%em0 --> fe80::1%em0

--- fe80::1%em0 ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
Neighbor                             Linklayer Address  Netif Expire    S Flags
2600:3c00:e000:137::1:1              f2:3c:91:b0:a5:6f    em0 permanent R
fe80::1%em0                          00:05:73:a0:0f:ff    em0 23h59m58s S R
2600:3c00:e000:137::1                f2:3c:91:b0:a5:6f    em0 permanent R
2600:3c00:e000:137::3:1              f2:3c:91:b0:a5:6f    em0 permanent R
2600:3c00:e000:137::2:1              f2:3c:91:b0:a5:6f    em0 permanent R
2600:3c00::f03c:91ff:feb0:a56f       f2:3c:91:b0:a5:6f    em0 permanent R
fe80::f03c:91ff:feb0:a56f%em0        f2:3c:91:b0:a5:6f    em0 permanent R
2600:3c00:e000:137:cafe:8a2e:370:7334 f2:3c:91:b0:a5:6f   em0 permanent R

PING6(56=40+8+8 bytes) fe80::f03c:91ff:feb0:a56f%em0 -->
fe80::8678:acff:fe1c:ec41%em0

--- fe80::8678:acff:fe1c:ec41%em0 ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
Neighbor                             Linklayer Address  Netif Expire    S Flags
2600:3c00:e000:137::1:1              f2:3c:91:b0:a5:6f    em0 permanent R
fe80::1%em0                          00:05:73:a0:0f:ff    em0 23h59m56s S R
2600:3c00:e000:137::1                f2:3c:91:b0:a5:6f    em0 permanent R
2600:3c00:e000:137::3:1              f2:3c:91:b0:a5:6f    em0 permanent R
2600:3c00:e000:137::2:1              f2:3c:91:b0:a5:6f    em0 permanent R
2600:3c00::f03c:91ff:feb0:a56f       f2:3c:91:b0:a5:6f    em0 permanent R
fe80::f03c:91ff:feb0:a56f%em0        f2:3c:91:b0:a5:6f    em0 permanent R
fe80::8678:acff:fe1c:ec41%em0        84:78:ac:1c:ec:41    em0 16s       R R
2600:3c00:e000:137:cafe:8a2e:370:7334 f2:3c:91:b0:a5:6f   em0 permanent R
root@roast:~ # ping6 kyoto.disillusion.net
PING6(56=40+8+8 bytes) 2600:3c00::f03c:91ff:feb0:a56f -->
2605:6400:10:968:22:da15:28a6:c800
^C
--- kyoto.disillusion.net ping6 statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
root@roast:~ # ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2600:3c00::f03c:91ff:feb0:a56f -->
2607:f8b0:4023:1000::71
^C
--- ipv6.l.google.com ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

It seems it thinks there are lots of bad Neighbor Solicitation messages? Is
there a way to understand why it thinks they're bad?


root@roast:~ # netstat -sp icmp6
icmp6:
        1717 calls to icmp6_error
        0 errors not generated in response to an icmp6 message
        0 errors not generated because of rate limitation
        Output histogram:
                unreach: 1717
                echo: 82607
                echo reply: 3
                neighbor solicitation: 8200
                neighbor advertisement: 1120
                MLDv2 listener report: 4
        0 messages with bad code fields
        0 messages < minimum length
        0 bad checksums
        0 messages with bad length
        Input histogram:
                unreach: 1715
                echo: 3
                echo reply: 105
                router advertisement: 485020
                neighbor solicitation: 359208
                neighbor advertisement: 8191
        Histogram of error messages to be generated:
                0 no route
                0 administratively prohibited
                0 beyond scope
                0 address unreachable
                1717 port unreachable
                0 packet too big
                0 time exceed transit
                0 time exceed reassembly
                0 erroneous header field
                0 unrecognized next header
                0 unrecognized option
                0 redirect
                0 unknown
        3 message responses generated
        0 messages with too many ND options
        0 messages with bad ND options
        357910 bad neighbor solicitation messages   <-----
        0 bad neighbor advertisement messages
        0 bad router solicitation messages
        0 bad router advertisement messages
        0 bad redirect messages
        0 default routers overflows
        0 prefix overflows
        0 neighbour entries overflows
        0 redirect overflows
        0 messages with invalid hop limit
        0 path MTU changes

-- 
You are receiving this mail because:
You are the assignee for the bug.