Re: Set net.inet6.icmp6.nodeinfo default to 0 and disable annoying ip6 logging

From: Marek Zarychta <>
Date: Thu, 16 Feb 2023 10:50:58 UTC
W dniu 16.02.2023 o 10:22, Ruben van Staveren pisze:
> Hi list,
> Given 13.2 is nearing release, would it be possible to have a look at
> 257709 – netinet6: Set net.inet6.icmp6.nodeinfo default to 0 
> <>
> <>
> 	fbsd_favicon.ico 
> <>
> <>
> And harden FreeBSD’s default IPv6 security a bit?
> Regards,
>     Ruben


perhaps time to change the defaults, but still, it can be easily 
disabled by setting:

sysctl net.inet6.icmp6.nodeinfo=0

My concern is rather kernel message buffer on IPv6 routers flooded with 
hundreds of entries:

cannot forward src fe80:10::426:82ff:fe36:1d8, dst 2001:db8:db8::10, nxt 
58, rcvif vlan5, outif vlan2
cannot forward src fe80:10::102a:79ff:fec7:61cf, dst 
2001:db8:db8:a028::1, nxt 58, rcvif vlan4, outif vlan2

It's fine that these packets are not being forwarded, but logging them 
can't be disabled, only delayed with increasing the value of the sysctl 
knob "net.inet6.ip6.log_interval", which is not always the best 
solution. It's not always possible to implement BCP38, and even harder 
to ask the upstream for the implementation of the BCP38 policy, so 
silently discarding those packets will be fine. I am crossposting it to 
freebsd-net@ to gain an even wider audience and support. Is the survey 
on Twitter required?


Marek Zarychta