* nftables and RFC 7084 section-4.3 L-14
@ 2024-02-15 22:11 Martin Tonusoo
0 siblings, 0 replies; only message in thread
From: Martin Tonusoo @ 2024-02-15 22:11 UTC (permalink / raw)
To: netfilter
Hi.
RFC 7084(Basic Requirements for IPv6 Customer Edge Routers) section
4.3 L-14 mandates that if a router LAN-facing interface receives an
IPv6 packet with a source address from a prefix that has been
invalidated, then the router must send an ICMPv6 type "Destination
Unreachable" code "Source address failed ingress/egress policy" back
to source. For example, this could happen if the ISP changes the
delegated global unicast IPv6 prefix and host in LAN, for whatever
reason, keeps using the old IPv6 prefix. I guess the idea of the RFC
7084 section-4.3 L-14 is to signal back to source that the prefix is
no longer usable.
This could be implemented by sending the packets failing the RPF check:
table inet filter {
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "lan0" meta nfproto ipv6 fib saddr . iif oif
missing counter packets 0 bytes 0 queue to 10 comment "RPF check"
}
}
.. to an userspace program which sends the error message back to
source via LAN-facing interface and then drops the packet:
https://gist.github.com/tonusoo/6051bfbf0a0740dee62c4e0b0ed4e2ab
Can anyone think of a way to accomplish this without sending packets
to userspace? I guess the main challenge is the missing neighbor cache
entry for the source IPv6 address.
thanks,
Martin
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-02-15 22:11 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-15 22:11 nftables and RFC 7084 section-4.3 L-14 Martin Tonusoo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).