From 6fcd0d88b68750375b1ca3b7ae4a3177d514b49f Mon Sep 17 00:00:00 2001
From: phessler <phessler@openbsd.org>
Date: Wed, 26 Apr 2023 14:28:09 +0000
Subject: [PATCH] During boot we have a protective and restrictive pf ruleset
 during the time we are running netstart, and then load the pf.conf ruleset
 after all of the interfaces are loaded.

Allow in and out IPv6 neighbor advertisement traffic without state during
that time.

suggestions/OK from saschan@
OK sthen@ kn@ florian@ deraadt@
---
 etc/rc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/rc b/etc/rc
index 7cf7e42549c..ea30a76aec4 100644
--- a/etc/rc
+++ b/etc/rc
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc,v 1.570 2023/01/25 10:53:15 asou Exp $
+#	$OpenBSD: rc,v 1.571 2023/04/26 14:28:09 phessler Exp $
 
 # System startup script run by init on autoboot or after single-user.
 # Output and error are redirected to console by init, and the console is the
@@ -447,7 +447,7 @@ if [[ $pf != NO ]]; then
 	if ifconfig lo0 inet6 >/dev/null 2>&1; then
 		RULES="$RULES
 		pass out inet6 proto icmp6 all icmp6-type neighbrsol
-		pass in inet6 proto icmp6 all icmp6-type neighbradv
+		pass inet6 proto icmp6 all icmp6-type neighbradv no state
 		pass out inet6 proto icmp6 all icmp6-type routersol
 		pass in inet6 proto icmp6 all icmp6-type routeradv
 		pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server
-- 
2.20.1