[PATCH netifd v2] interface-ip: fix ipv6 routing loop

[Maxim Mikityanskiy]

Hello Hans!

On Sun, 03 Jan 2021 12:14:18 -0800, Hans Dedecker wrote:
> In case of prefix delegation an upstream ISP will route the complete
> delegated prefix (e.g 2001:DB8:BEEF::/56) to an OpenWrt device, OpenWrt
> will route back the complete /56 not matching a local or subdelegated
> prefix and with as source an address from the delegated prefix
> causing a routing loop.
> Fix this by using an ip rule which directs traffic matching the
> subdelegated prefix and coming from the wan interface to the main or
> user configured routing table.
> An ip rule with lower priority will make sure the traffic not matching
> the subdelegated prefix(es) will be dropped with an ICMPv6 unreachable
> fixing the potential routing loop.
> 
> 
> This will result into the following typical IPv6 rules :
> 
> 0:      from all lookup local
> 30000:  from all to 2001:DB8:BEEF::/64 iif eth4 lookup main
> 30001:  from all to 2001:DB8:BEEF::/56 iif eth4 unreachable
> 32766:  from all lookup main
> 4200000000:     from 2001:DB8:BEEF::1/64 iif br-lan unreachable

Could you please hint me why the rule with ID 4200000000 is useful? I
understand the purpose of rule 30001 explained in this commit message,
but I can't imagine the situation in which rule 4200000000 would be
triggered, because the main routing table has the default route that
would be the final match.

Thanks,
Max

> 4200000001:     from all iif lo failed_policy
> 4200000011:     from all iif eth0 failed_policy
> 4200000015:     from all iif eth4 failed_policy
> 4200000015:     from all iif eth4 failed_policy
> 4200000019:     from all iif br-lan failed_policy
> 
> Signed-off-by: Hans Dedecker <dedec... at gmail.com>
> ---
> v2: Keep unreachable route in the routing table dropping traffic from the lan
> not matching any routing rules with an ICMPv6 unreachable