Per the latest "recommended" IPv6 ip6tables ruleset from February 2010 (adopted by most major Linux distros), the following is a must:
# Allow router advertisements on local network segments for icmptype in 133 134 135 136 137; do ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT done
The reasoning is obvious from the comment. :) Working around the missing support by omitting the hl match a) works and b) leaves a gaping, nasty hole in the external firewall permitting RA directly to your subnet from the Internet…this is Not Good(TM).
Compiling libip6t_hl.so was trivial, but it would appear that CONFIG_NETFILTER_XT_MATCH_HL doesn't appear in the Tomato kernel .config at all, nor does any of the corresponding netfilter kernel code.
This one may be a bit over my head to backport - anyone interested in taking a swing and/or providing a valid alternative approach to the firewall entry above?