Re: [OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

On Tue, 2015-06-16 at 18:56 +0200, Steven Barth wrote: > Source-Destination matching is done in the regular routing table. > E.g. for my he.net connection the v6 routing table looks like this: > > default from 2001:470:xx:yyy::/64 dev 6in4-henet proto static metric 1024 > default from 2001:470:z

Re: [OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

Source-Destination matching is done in the regular routing table. E.g. for my he.net connection the v6 routing table looks like this: default from 2001:470:xx:yyy::/64 dev 6in4-henet proto static metric 1024 default from 2001:470:::/48 dev 6in4-henet proto static metric 1024 if you try to

Re: [OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

On Tue, 2015-06-16 at 17:05 +0200, Steven Barth wrote: > You should see an unreachable route for your own local ULA /48. Indeed: fd31:aeb1:48df::/64 dev br-lan proto static metric 1024 unreachable fd31:aeb1:48df::/48 dev lo proto static metric 2147483647 error -128 > Also if your clients

Re: [OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

You should see an unreachable route for your own local ULA /48. Also if your clients try to use your local ULA as source to reach anything outside of the ULA (e.g. global addresses) this is blocked (there is no matching route - simpler explanation to my previous post). I don't see any particular p

Re: [OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

On Tue, 2015-06-16 at 08:47 +0200, Steven Barth wrote: > That commit got reverted 4 months later Oh good. It was the wrong way to solve that, IMHO. > Source-Destination routing has been used to replace it for egress > traffic, i.e. there are simply no external (e.g. default) routes that > have a

Re: [OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

That commit got reverted 4 months later and was never really in use for long. Source-Destination routing has been used to replace it for egress traffic, i.e. there are simply no external (e.g. default) routes that have a matching source-restriction. For ingress traffic the stateful firewall handle

[OpenWrt-Devel] firewall instead of routing rules to keep ULAs from escaping

I wonder why in https://dev.openwrt.org/changeset/35012 the choice was made to use the firewall to prevent ULA destination addresses from trying to be reached on the WAN vs. using routing rules and "unreachable" routes. Something like: unreachable fc00::/7 dev lo metric 1024 error -128 in the