[OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping
Brian J. Murrell
brian at interlinx.bc.ca
Tue Jun 16 17:01:45 EDT 2015
On Tue, 2015-06-16 at 18:56 +0200, Steven Barth wrote:
> Source-Destination matching is done in the regular routing table.
> E.g. for my he.net connection the v6 routing table looks like this:
>
> default from 2001:470:xx:yyy::/64 dev 6in4-henet proto static metric 1024
> default from 2001:470:zzzz::/48 dev 6in4-henet proto static metric 1024
Ahhhh. I see what you are saying now.
> if you try to send with a ULA there is no matching route since there is
> no unspecific default route.
Unfortunately I do have such a route (that is not Source matching in
addition to the destination):
default via 2001:470:aa:bbb::1 dev 6in4-henet metric 1024
This is likely due to Shorewall and LSM managing a default route in a
multi-isp configuration.
> Also I disagree about the general usefulness of a fc00::/7 block. I can
> imagine e.g. a VPN-scenario where (on top of tunneling internet access)
> you access certain local services which have ULAs. This would
> essentially be broken by your generic rule for not much added gain.
But (and yes) if you had an fc00::/7 unreachable route, any ULAs you
need to reach need to have more specific routes, but one should have
those because one should be getting those through a routing protocol.
It just seems to make sense to me that on a router that would otherwise
route ULAs out to a network where ULAs have not been announced should
prevent them from going there. I guess that's a point we might just
have to agree to disagree on.
But you are right about the Source-Destination matching should take care
of net letting ULAs out. I just have something in my configuration that
is defeating that at the moment. :-(
Thanks very much for your patience on this.
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150616/6cc7aa2d/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list