On Thursday 2010-11-04 03:12, H. Peter Anvin wrote: > >Consider for example the case where I get from my ISP the netblock >2001:0db8:ac10::/48. I subnet this internally with subnet numbers prefixed by >/52 security domains, i.e 2001:0db8:ac10:0000::/52, 2001:0db8:ac10:1000::/52 >and so forth. Accordingly, my ip6tables would contain rules as to what kind of >traffic can flow between these prefixes. > >Now, the upstream (ISP-assigned) prefix changes to 2001:6b2f:1705::/48. RA >will handle reassigning addresses to actual downstream hosts, but things that >explicitly encode IPv6 addresses need to be changed, and that includes >ip6tables, in this case these rules now need to refer to >2001:6b2f:1705:0000::/52, 2001:62bf:1705:1000::/52 and so on. Now that helps, thanks :) You could use ip6tables -A FORWARD -d 0:0:0:1000::/0:0:0:ffff:: to ignore the changing prefix part. >You're assuming (a) that I'm talking about a home gateway here (which may be, >but is far from certain -- the dynamic prefixes are a design feature of the >entire IPv6 Internet, and any entity that is not large enough to have direct >access to BGP6 is required to handle arbitrary prefix changes), I was just assuming this because I would find it highly disturbing if my rented-servers-in-a-datacenter suddenly had their prefix changed, for then that would also necessitate a change in the DNS zone. If you self-host your own DNS zone to which the ISP has no write access then goodluck. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
