[PATCH netifd v2] interface-ip: fix ipv6 routing loop

Hans Dedecker dedeckeh at gmail.com
Wed Mar 29 12:14:28 PDT 2023 

Hi,

On Wed, Mar 29, 2023 at 4:44 PM Maxim Mikityanskiy <maxtram95 at gmail.com> wrote:
>
> Hello Hans!
>
> On Sun, 03 Jan 2021 12:14:18 -0800, Hans Dedecker wrote:
> > In case of prefix delegation an upstream ISP will route the complete
> > delegated prefix (e.g 2001:DB8:BEEF::/56) to an OpenWrt device, OpenWrt
> > will route back the complete /56 not matching a local or subdelegated
> > prefix and with as source an address from the delegated prefix
> > causing a routing loop.
> > Fix this by using an ip rule which directs traffic matching the
> > subdelegated prefix and coming from the wan interface to the main or
> > user configured routing table.
> > An ip rule with lower priority will make sure the traffic not matching
> > the subdelegated prefix(es) will be dropped with an ICMPv6 unreachable
> > fixing the potential routing loop.
> >
> >
> > This will result into the following typical IPv6 rules :
> >
> > 0:      from all lookup local
> > 30000:  from all to 2001:DB8:BEEF::/64 iif eth4 lookup main
> > 30001:  from all to 2001:DB8:BEEF::/56 iif eth4 unreachable
> > 32766:  from all lookup main
> > 4200000000:     from 2001:DB8:BEEF::1/64 iif br-lan unreachable
>
> Could you please hint me why the rule with ID 4200000000 is useful? I
> understand the purpose of rule 30001 explained in this commit message,
> but I can't imagine the situation in which rule 4200000000 would be
> triggered, because the main routing table has the default route that
> would be the final match.
If IPv6 source based routing is used the default route will only be
hit when the source IP matches the source attached to the default
route.
If this is not the case the unreachable ip rule will be hit if the
source IP matches the source attached to the rule

Hans
>
> Thanks,
> Max
>
> > 4200000001:     from all iif lo failed_policy
> > 4200000011:     from all iif eth0 failed_policy
> > 4200000015:     from all iif eth4 failed_policy
> > 4200000015:     from all iif eth4 failed_policy
> > 4200000019:     from all iif br-lan failed_policy
> >
> > Signed-off-by: Hans Dedecker <dedec... at gmail.com>
> > ---
> > v2: Keep unreachable route in the routing table dropping traffic from the lan
> > not matching any routing rules with an ICMPv6 unreachable

More information about the openwrt-devel mailing list