IPv6 Sure Is Fun! smile smile eyetwitch smile

Spent a few ghastly hours the other day trying to figure out why a VPS would get IPv6 addresses on boot, but then fail to renew, dropping its ULA and global IPs. Finally deduced that not a one of the "basic firewall :D" examples I perused when creating my nftables setup considered an environment using DHCP6.

Turns out for that case, in addition to allowing some ICMP types, you need to punch a link-local hole for new incoming connections, on UDP port 546.

ip6 saddr fe80::/10 udp dport 546 ct state new accept

This is for two things:

1. The DHCP6 server can apparently send some sorts of unsolicited 'reconfigure' directives, that your dhcp client should theoretically listen for and obey. I suppose this is part of the more dynamic abilities of IPv6.
2. In the normal request/reply or renewal case, it seems 'some' (? no details in what I found) DHCP6 servers will to respond to multicast requests via unicast. Firewall connection tracking can't predict that, so the port just needs to be open to all new connections.

Apparently case 2 applies in the Oracle Cloud when using their IPv6 assignment system and DHCP servers.

What made figuring this out extra-confusing was that some of the config could get through. Not sure of the details, but dhcpcd could see enough to add routes to the ULA and global networks. It just couldn't get the actual lease responses, so would not assign the IPs. This left me flailing a bit thinking I had broken dhcpcd settings, and so my attempts to search for answers did not yield good results. In the end an otherwise unhelpful result gave me the idea of trying with my firewall dropped.

...Actually, now that I think about it, I'm still not sure why renewals wouldn't work. I would think dhcpcd would know the address of the server, send the request via unicast, and then conntrack would enable reception of the reply. But I guess not.

¯_(ツ)_/¯