[PATCH netifd v2] interface-ip: fix ipv6 routing loop

Maxim Mikityanskiy maxtram95 at gmail.com
Thu Mar 30 04:25:44 PDT 2023 

On Wed, 29 Mar 2023 at 21:14:28 +0200, Hans Dedecker wrote:
> Hi,
> 
> On Wed, Mar 29, 2023 at 4:44 PM Maxim Mikityanskiy <maxtram95 at gmail.com> wrote:
> >
> > Hello Hans!
> >
> > On Sun, 03 Jan 2021 12:14:18 -0800, Hans Dedecker wrote:
> > > In case of prefix delegation an upstream ISP will route the complete
> > > delegated prefix (e.g 2001:DB8:BEEF::/56) to an OpenWrt device, OpenWrt
> > > will route back the complete /56 not matching a local or subdelegated
> > > prefix and with as source an address from the delegated prefix
> > > causing a routing loop.
> > > Fix this by using an ip rule which directs traffic matching the
> > > subdelegated prefix and coming from the wan interface to the main or
> > > user configured routing table.
> > > An ip rule with lower priority will make sure the traffic not matching
> > > the subdelegated prefix(es) will be dropped with an ICMPv6 unreachable
> > > fixing the potential routing loop.
> > >
> > >
> > > This will result into the following typical IPv6 rules :
> > >
> > > 0:      from all lookup local
> > > 30000:  from all to 2001:DB8:BEEF::/64 iif eth4 lookup main
> > > 30001:  from all to 2001:DB8:BEEF::/56 iif eth4 unreachable
> > > 32766:  from all lookup main
> > > 4200000000:     from 2001:DB8:BEEF::1/64 iif br-lan unreachable
> >
> > Could you please hint me why the rule with ID 4200000000 is useful? I
> > understand the purpose of rule 30001 explained in this commit message,
> > but I can't imagine the situation in which rule 4200000000 would be
> > triggered, because the main routing table has the default route that
> > would be the final match.
> If IPv6 source based routing is used the default route will only be
> hit when the source IP matches the source attached to the default
> route.
> If this is not the case the unreachable ip rule will be hit if the
> source IP matches the source attached to the rule

Thanks for the explanation! That seems to be the same source IP in my
setup, though. I get a /48 prefix from tunnelbroker (XXXX), of which I
delegate /64 to LAN (YYYY), and I have these routes in the main table:

default from 2001:470:XXXX::/48 dev 6in4-wan6 proto static metric 1024 pref medium
2001:470:TTTT:TTTT::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
2001:470:XXXX:YYYY::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:470:XXXX::/48 dev lo proto static metric 2147483647 pref medium

and these rules:

32766:	from all lookup main
4200000000:	from 2001:470:XXXX:YYYY::1/64 iif br-lan unreachable

That is, the default rule should match on a superset of IPs compared to
the unreachable rule 4200000000.

What is the use case when this rule becomes effective?

> 
> Hans
> >
> > Thanks,
> > Max
> >
> > > 4200000001:     from all iif lo failed_policy
> > > 4200000011:     from all iif eth0 failed_policy
> > > 4200000015:     from all iif eth4 failed_policy
> > > 4200000015:     from all iif eth4 failed_policy
> > > 4200000019:     from all iif br-lan failed_policy
> > >
> > > Signed-off-by: Hans Dedecker <dedec... at gmail.com>
> > > ---
> > > v2: Keep unreachable route in the routing table dropping traffic from the lan
> > > not matching any routing rules with an ICMPv6 unreachable

More information about the openwrt-devel mailing list