ip6tables and multiple possible source addresses
olipro at 8.c.9.b.0.7.4.0.18.104.22.168.ip6.arpa
Wed Jan 18 20:57:40 CET 2012
On Tuesday 17 Jan 2012 17:04:00 Tom Perrine wrote:
> Someone must have already figured this out; I'm feeling "virtual Monday"
> pretty bad right now :-(
> With IPv6 a host can have "lots" (more than 1) of possible IPv6
> addresses to use as the source address. I've read the RFCs, so I can
> (usually) make a good guess as to which one will be used, but...
> When writing a host-specific ip6tables rule, which address do you need
> to list? All of the possible Global Scoped addresses?
> This seems...... awkward (and error prone).
> Am I missing something, or is it that bad?
if using DHCPv6 and refusing to route unleased addresses (or subnets)
*isn't* an option for you and SLAAC is a must, then the only real way to
handle this is allocate a /64 *per host* and perform your firewalling on
the CIDR boundary - not an entirely impossible prospect if you have a
reasonable subnet size to play with.
On a side note, one thing to bear in mind is that when you make router
advertisements, you can set AdvOnlink to off which has the effect of
causing /all/ traffic for that subnet to be routed; hosts will not attempt
or use neighbour discovery - useful if you want to use a single subnet
across multiple VLANs.
More information about the ipv6-ops