[OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

Steven Barth cyrus at openwrt.org
Tue Jun 16 12:56:34 EDT 2015


Source-Destination matching is done in the regular routing table.
E.g. for my he.net connection the v6 routing table looks like this:

default from 2001:470:xx:yyy::/64 dev 6in4-henet  proto static  metric 1024
default from 2001:470:zzzz::/48 dev 6in4-henet  proto static  metric 1024

if you try to send with a ULA there is no matching route since there is
no unspecific default route.



Also I disagree about the general usefulness of a fc00::/7 block. I can
imagine e.g. a VPN-scenario where (on top of tunneling internet access)
you access certain local services which have ULAs. This would
essentially be broken by your generic rule for not much added gain.



Cheers,

Steven
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list