Hi Tom, Tom Eastep schrieb am 06.09.2020 20:13 (GMT +02:00):
> On 8/17/20 6:33 PM, Tom Eastep wrote: >> On 8/17/20 5:23 PM, Timo Sigurdsson wrote: >>> Hi, >>> >>> I have shorewall running on a gateway that gets both IPv4 and IPv6 addresses >>> or prefixes dynamically assigned by my ISP. When I dump the ip6tables rules >>> with ip6tables-restore, I can see certain rules containing anycast addresses >>> for each interface. The rules look like these: >>> -A Broadcast -d 2001:db8:1:1::/128 -j DROP >>> -A Broadcast -d 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -j DROP >>> -A reject -d 2001:db8:1:1::/128 -j DROP >>> -A reject -d 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -j DROP >>> -A smurfs -s 2001:db8:1:1::/128 -g smurflog >>> -A smurfs -s 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -g smurflog >>> >>> I'd like to know: What generates these rules and can I suppress just these >>> without changing anything else in the ruleset? I tried a few options like >>> removing the nosmurfs option in the interfaces file, since the smurfs chain >>> is referenced here, but that didn't do anything. Neither did any of my >>> attempted changes to shorewall.conf, so I still don't even know what causes >>> these rules to be generated. >>> >>> The reason I'm asking is this: The anycast-related rules are the only ones >>> changing when I reload shorewall6 after my gateway received new IPv6 >>> addresses. Since renumbering occurs frequently on this machine, I'm >>> wondering >>> if I can avoid having to reload shorewall6 all the time. I thought about >>> adding a hook to my DHCPv6 client that could add the anycast addresses for >>> each interface to an ipset, so I could reference just the ipset in my >>> shorewall6 configuration and the ruleset itself could stay the same without >>> the need to reload shorewall6 after renumbering occurs. >>> >> >> It is currently somewhat convoluted to eliminate these rules: >> >> a) Create your own version of action.Broadcast which does not include >> the anycast addresses. >> >> b) Don't use nosmurfs. If you want Smurf protection: >> i) Create your own copy of action.DropSmurfs that doesn't include >> anycast addresses. >> ii) Invoke DropSmurfs in the ALL section of the rules file for packets >> entering through interfaces that you wish to protect. >> >> c) Use the REJECT_ACTION option in shorewall6.conf to define your own >> 'reject' chain. The action's code listed in the manpage should work, >> provided that you have done a), above. >> > > I've taken another look at this, and you can easily suppress these rules > by placing this statement in your /etc/shorewall6/init file: > > ALL_ACASTS='' > > Much easier than the convoluted instructions that I sent previuosly. > > -Tom > thanks a lot. I finally got around to test this and implement my custom anycast handling. It works like a treat. Not only does it allow me to skip reloading shorewall whenever the IPv6 prefixes change, but as a nice sideeffect, I can now also make use of the AUTOMAKE option. Previously, the anycast addresses contained in the ip6tables rules wouldn't be updated with AUTOMAKE enabled unless the configuration was changed as well. Btw. thanks for making the anycast rules optional in the next shorewall release! Kind regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
