This defines the prefix which will be matched against received Neighbor Solicitations. It will often be a /64 supplied by an ISP, but this is by no means mandatory.

Note that leading zeros are not required, but can be used. So

is equivalent to

The prefix does require a terminating colon, e.g.

The /mask value is optional, and often not required. In many cases where npd6 is used, the user will have received a 64-bit prefix from their ISP. Simply add this as the prefix here and you'll be good to go!

If the /mask value is not supplied, but the prefix given is not a 64-bit one, then an implicit mask is used of the prefix's length rounded up to the next 16-bit boundary. e.g.

is implicitly euivalent to

If a /mask value is used, then it operates in the traditional (although maybe unintuitive to some!) maner of an IP mask. For example:

would match 2000:11:22:33::0 thru 2000:11:22:33:7fff:ffff:ffff:ffff

Whereas

would match 2000:11:22:33:8000::0 thru 2000:11:22:33:ffff:ffff:ffff:ffff

If you understand masks, then they are there and available. If you do not understand masks, just ignore this.

Finally: a useful shorthand to match any address within a NS on the designated interface is

However its use would be unusual and could lead to some unforseen consequences if not thought through. Use with care.

This defines the interface to which we will bind and listen. Note also that this is the interface which will, by default (see below), have the multicast flag enabled if required too.

It will typically be one of the ethernet interfaces, e.g.

This defines the type of "listing" (if any) to be performed: whitelisting, blacklisting or none at all. What is "listing"? In general, a whitelist ONLY allows items pre-configured on the list to be permitted. A blacklist allows anything EXCEPT those items pre-configured on the list.

If black or white is specified then you should also then define at least 1 (and as many more as you require) addrlist and/or exprlist items.

Note also that this config item must be before the addrlist or exprlist items in the config file.

e.g. addrlist = 2a01:0123:456:7::22 (All the usual formats are supported.)

Defines the list of addresses to be either white- or black-listed.

e.g. exprlist = (HOST);SEAN=(HOST&0xffff);((SEAN>0x99)&&(SEAN<0x124))

This example will (if black listing) refuse any NS that is for PREFIX::100 up to PREFIX::123. It any other PREFIX:: value will match. Or if whitelisting, will only allow value in those ranges.

If on addresses which match a white/blacklist will be logged (even if debug is not enabled). If off matches will not be logged (unless debug is in use, when they will be logged regardless)

Default: off

Optionally, npd6 can record a list of targets received in the incoming Neighbor Solicitations, to which it has replied. These can be displayed in the defined log by sending a USR2 signal npd6. e.g. kill -USR2 <pid of npd6>

This parameter defines a limit to the number of addresses recorded. If the value is zero, then the feature is disabled. This is the default behaviour. The parameter should be set to a suitably large but sane value. The only significant overhead is memory (for storing the addresses) Given the address space of IPv6 and the possibility of receiving very many different target addresses to not provide a ceiling to this feature would potentially open npd6 up to a denial-of-service based upon memory depletion.

In a typical situation, where a network might expect to receive Neighbor Solicitations for several dozen devices, there's likely no harm in setting this to 100 or 1000. Just don't set it at 10,000,000 without thinking first. Memory is only allocated as-required - if you do set a high limit, npd6 does not preallocate the memory, but only use it as and if required.

Normal RFC-compliant behaviour requires that if npd6 is replying to a multicast Neighbor Solicitation it must include the Target Link-Layer option in any reply. However if replying to a unicast Neighbor Solicitation this option is not required. Hence it is normally not used unless enabled here by changing the this to true

Default: false

If npd6 receives a Neighbor Solicitation for the global address of the interface to which it is bound, if set to true npd6 will ignore and not reply - this is since ordinarily the kernel will itself automatically respond to such a situation.

If changed from the default and set to false then such Neighbor Solcitations will be responded to - possibly resulting in duplicated Neighbor Advertisements.

Default: true

Normal RFC-compliant behaviour requires that outgoing Neighbor Advertisements have the ROUTER flag set in them. This will be done unless disabled by changing this to false.

Default: true

Outgoing Neighbor Advertisements will normally have their maximum hop value set to 255. if set incorrectly no anomaly in the operation of npd6 will be seen - however Neghbor Advertisements generated by npd6 may be silently ignored by the receiving device. Do not change without good reason!

Default: 255

This is to cater for situations when an interface goes bad for a short time, but comes back in the end. e.g. bouncing an interface, or during boot-up when things might take a second or three longer than expected to be ready and available.

Set to 0 to disable the mechanism completely.

Given the nature of the underlying mechanisms, if an interface goes away and does not come back, this threshold strictly speaking is the minimum number of poll failures we will wait for before permanently failing. However practically speaking, this value represents the minimum period in seconds which we will wait before taking this action. The maximum period is potentially twice this value.

Note that if this value is set higher than 30, the mechanism may not operate as expected! This is implementation dependent. Best left alone, to be honest... 20 is a sensible default value!

Default: 20