ip6tables and multiple possible source addresses

Olipro olipro at 8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa
Wed Jan 18 20:57:40 CET 2012


On Tuesday 17 Jan 2012 17:04:00 Tom Perrine wrote:
> Someone must have already figured this out; I'm feeling "virtual Monday"
> pretty bad right now :-(
> 
> With IPv6 a host can have "lots" (more than 1) of possible IPv6
> addresses to use as the source address. I've read the RFCs, so I can
> (usually) make a good guess as to which one will be used, but...
> 
> When writing a host-specific ip6tables rule, which address do you need
> to list? All of the possible Global Scoped addresses?
> 
> This seems...... awkward (and error prone).
> 
> Am I missing something, or is it that bad?
> 
> --tep

if using DHCPv6 and refusing to route unleased addresses (or subnets) 
*isn't* an option for you and SLAAC is a must, then the only real way to 
handle this is allocate a /64 *per host* and perform your firewalling on 
the CIDR boundary - not an entirely impossible prospect if you have a 
reasonable subnet size to play with.

On a side note, one thing to bear in mind is that when you make router 
advertisements, you can set AdvOnlink to off which has the effect of 
causing /all/ traffic for that subnet to be routed; hosts will not attempt 
or use neighbour discovery - useful if you want to use a single subnet 
across multiple VLANs.


More information about the ipv6-ops mailing list