I am running an OpenBSD 5.9 box as a firewall/router on a Comcast cable connection. My box has 2 interfaces: em0 on external network (cable modem) and em1 on internal network. I have applied all available patches for 5.9.
For ipv6 I'm running wide-dhcpv6 package to get a non-temporary address on em0 and prefix delegation (/64) on em1. I'm using slaac on em0 to get the default inet6 route from Comcast - I have "rtsol" line in hostname.em0. Finally I'm running rtadvd on em1 to advertise inet6 route and prefix to internal clients. I'm using default rtadvd config (no config file). This all works great, but one issue I'm noticing is netstat -rn output seems to keep growing, particularly for ff02::1:ff routes on the internal interface (em1). After 2 days of uptime I have this: $ netstat -rn | grep -c 'ff02::1:ff' 124 These routes look like this - notice c flag so these are cloned routes: $ netstat -rn | grep 'ff02::1:ff' ff02::1:ff02:e530%em1 link#3 UHLc 0 3 - 4 em1 ff02::1:ff04:8e23%em1 link#3 UHLc 0 71 - 4 em1 ff02::1:ff04:ee06%em1 link#3 UHLc 0 2 - 4 em1 Wikipedia says these are solicited node multicast addresses: https://en.wikipedia.org/wiki/Solicited-node_multicast_address Looking at the kernel code - I think these are all cloned child routes of a route set up by this code in sys/netinet6/in6.c (interesting comment): 807 bzero(&info, sizeof(info)); 808 info.rti_info[RTAX_DST] = sin6tosa(&mltaddr); 809 info.rti_info[RTAX_GATEWAY] = sin6tosa(&ia6->ia_addr); 810 info.rti_info[RTAX_NETMASK] = sin6tosa(&mltmask); 811 info.rti_info[RTAX_IFA] = sin6tosa(&ia6->ia_addr); 812 /* XXX: we need RTF_CLONING to fake nd6_rtrequest */ 813 info.rti_flags = RTF_CLONING; 814 error = rtrequest(RTM_ADD, &info, RTP_CONNECTED, NULL, 815 ifp->if_rdomain); mltaddr is set to in6addr_linklocal_allnodes, which is IN6ADDR_LINKLOCAL_ALLNODES_INIT, which is ff02::1:ff Questions - Are these child routes really leaking? Is there a max number of cloned child routes or a timeout for these? I cannot find any evidence of this. If they are leaking - I worry my poor router will eventually try to add all possible 2^24 solicited node multicast entires to the routing table and die of memory exhaustion.
