[OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

Brian J. Murrell brian at interlinx.bc.ca
Tue Jun 16 17:01:45 EDT 2015 

On Tue, 2015-06-16 at 18:56 +0200, Steven Barth wrote:
> Source-Destination matching is done in the regular routing table.
> E.g. for my he.net connection the v6 routing table looks like this:
> 
> default from 2001:470:xx:yyy::/64 dev 6in4-henet  proto static  metric 1024
> default from 2001:470:zzzz::/48 dev 6in4-henet  proto static  metric 1024

Ahhhh.  I see what you are saying now.

> if you try to send with a ULA there is no matching route since there is
> no unspecific default route.

Unfortunately I do have such a route (that is not Source matching in
addition to the destination):

default via 2001:470:aa:bbb::1 dev 6in4-henet  metric 1024 

This is likely due to Shorewall and LSM managing a default route in a
multi-isp configuration.

> Also I disagree about the general usefulness of a fc00::/7 block. I can
> imagine e.g. a VPN-scenario where (on top of tunneling internet access)
> you access certain local services which have ULAs. This would
> essentially be broken by your generic rule for not much added gain.

But (and yes) if you had an fc00::/7 unreachable route, any ULAs you
need to reach need to have more specific routes, but one should have
those because one should be getting those through a routing protocol.

It just seems to make sense to me that on a router that would otherwise
route ULAs out to a network where ULAs have not been announced should
prevent them from going there.  I guess that's a point we might just
have to agree to disagree on.

But you are right about the Source-Destination matching should take care
of net letting ULAs out.  I just have something in my configuration that
is defeating that at the moment.  :-(

Thanks very much for your patience on this.

b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150616/6cc7aa2d/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list