[OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

Brian J. Murrell brian at interlinx.bc.ca
Tue Jun 16 08:07:02 EDT 2015


On Tue, 2015-06-16 at 08:47 +0200, Steven Barth wrote:
> That commit got reverted 4 months later

Oh good.  It was the wrong way to solve that, IMHO.

> Source-Destination routing has been used to replace it for egress
> traffic, i.e. there are simply no external (e.g. default) routes that
> have a matching source-restriction.

I'm not sure exactly what all of that meant but egress is my concern
here so let's expand here.

Ultimately, I don't see anything in the IPv6 routing table on my 14.07
router that prevents the LAN side of the 14.07 router from trying to
access a ULA (or any other bogon) that is on the WAN side of the router
(i.e. through the default route), because somebody incorrectly lists a
ULA on their Internet facing DNS zone for example.

I would have expected to see something along the lines of a:

unreachable fc00::/7 dev lo  metric 1024  error -128

but I don't.  So what mechanism is (or should be) being used to
accomplish that?

Cheers,
b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150616/0da1259f/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list