Hi. RFC 7084(Basic Requirements for IPv6 Customer Edge Routers) section 4.3 L-14 mandates that if a router LAN-facing interface receives an IPv6 packet with a source address from a prefix that has been invalidated, then the router must send an ICMPv6 type "Destination Unreachable" code "Source address failed ingress/egress policy" back to source. For example, this could happen if the ISP changes the delegated global unicast IPv6 prefix and host in LAN, for whatever reason, keeps using the old IPv6 prefix. I guess the idea of the RFC 7084 section-4.3 L-14 is to signal back to source that the prefix is no longer usable. This could be implemented by sending the packets failing the RPF check: table inet filter { chain prerouting { type filter hook prerouting priority filter; policy accept; iifname "lan0" meta nfproto ipv6 fib saddr . iif oif missing counter packets 0 bytes 0 queue to 10 comment "RPF check" } } .. to an userspace program which sends the error message back to source via LAN-facing interface and then drops the packet: https://gist.github.com/tonusoo/6051bfbf0a0740dee62c4e0b0ed4e2ab Can anyone think of a way to accomplish this without sending packets to userspace? I guess the main challenge is the missing neighbor cache entry for the source IPv6 address. thanks, Martin