[OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping
Brian J. Murrell
brian at interlinx.bc.ca
Tue Jun 16 08:07:02 EDT 2015
On Tue, 2015-06-16 at 08:47 +0200, Steven Barth wrote:
> That commit got reverted 4 months later
Oh good. It was the wrong way to solve that, IMHO.
> Source-Destination routing has been used to replace it for egress
> traffic, i.e. there are simply no external (e.g. default) routes that
> have a matching source-restriction.
I'm not sure exactly what all of that meant but egress is my concern
here so let's expand here.
Ultimately, I don't see anything in the IPv6 routing table on my 14.07
router that prevents the LAN side of the 14.07 router from trying to
access a ULA (or any other bogon) that is on the WAN side of the router
(i.e. through the default route), because somebody incorrectly lists a
ULA on their Internet facing DNS zone for example.
I would have expected to see something along the lines of a:
unreachable fc00::/7 dev lo metric 1024 error -128
but I don't. So what mechanism is (or should be) being used to
accomplish that?
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150616/0da1259f/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list