On 11/04/2010 07:55 AM, Pascal Hambourg wrote:
Consider for example the case where I get from my ISP the netblock
2001:0db8:ac10::/48. I subnet this internally with subnet numbers
prefixed by /52 security domains, i.e 2001:0db8:ac10:0000::/52,
2001:0db8:ac10:1000::/52 and so forth.
/52 is quite unusual. AFAIK stateless autoconfiguration requires a
prefix length of /64.
The implication in the example is that the /52 security domains each
contain a number of /64 subnets.
Accordingly, my ip6tables would
contain rules as to what kind of traffic can flow between these prefixes.
Now, the upstream (ISP-assigned) prefix changes to 2001:6b2f:1705::/48.
RA will handle reassigning addresses to actual downstream hosts, but
things that explicitly encode IPv6 addresses need to be changed, and
that includes ip6tables, in this case these rules now need to refer to
2001:6b2f:1705:0000::/52, 2001:62bf:1705:1000::/52 and so on.
Are you talking about rules on the router which subnets the block, or on
downstream hosts ?
Also, is each subnet prefix on a separate link ?
Could you provide an example of such rules ?
I'm talking about rules on the internal router(s) which separate the
security domains. I can probably come up with a concrete ruleset, but
it'll take a few days since I'm travelling at the moment.
-hpa
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
