From a82347584ba708c4d20b25b2ed13794905ff639f Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Wed, 26 Nov 2025 17:08:15 +0100 Subject: [PATCH] pf tests: fix killstate:v6 Allow neighbor discovery/advertisement packets, but don't create state for them. This ensures that the destination jail can respond to our echo requests, and that we don't create extra states that would confuse the test. Sponsored by: Rubicon Communications, LLC ("Netgate") --- tests/sys/netpfil/pf/killstate.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sys/netpfil/pf/killstate.sh b/tests/sys/netpfil/pf/killstate.sh index ffb01df5790..4c34c8036f0 100644 --- a/tests/sys/netpfil/pf/killstate.sh +++ b/tests/sys/netpfil/pf/killstate.sh @@ -187,6 +187,7 @@ v6_body() jexec alcatraz pfctl -e pft_set_rules alcatraz "block all" \ + "pass quick inet6 proto ipv6-icmp all icmp6-type { neighbrsol, neighbradv } no state" \ "pass in proto icmp6" \ "set skip on lo"