That’s the same as Enabling security.ipv6_filtering causes the host to stop responding to DHCPv6 renew requests - #14 by xenon
I’ve been trying to sort this one out on and off but haven’t yet gotten to the bottom of it. It’s certainly possible to add/relax the rules to make it work, but not in a way that wouldn’t also allow potential spoofing or DoS… It’s also really weird as the very packet we see in tcpdump matches perfectly the rule in nft and in fact clears it during the initial request.