On Wednesday 2010-11-03 23:36, H. Peter Anvin wrote: >The prefix is set by the ISP and can change at any time. I take it you mean a setup where addresses are automatically assigned (DHCPv6, PPP). Still I don't see the problem - any security-conscious person would use a drop-by-default ruleset. So a change of prefix address would, if anything, cause packets to get dropped in FORWARD. (What do we have the "ip6table_filter.forward" module option for? Right. And why is it set to ACCEPT by default? *headshakethere*) >In IPv4 this is generally masked by NAT, but in IPv6 it affects every >host. Different scenario. Because packets from Internet are only destined for your home gateway address, they would get locally delivered in the normal case, and any forwarding is an opt-in process on the admin's behalf. If you used a FORWARD-DROP policy in IPv6, forwarding also becomes the same opt-in process. So it's not like NAT would be any magic. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
