On 10/17/06 14:35, Thomas Graf wrote: Hi Thomas,
> Because otherwise a rule containing only a source prefix match is > equivalent to a catch-all rule for all lookups not providing a > source address. An example: Someone adding the rule > > ip rule add from 2001::1/128 unreachable > > results in _all_ lookups not providing a source address to > resolve to unreachable which means that all source address > lookups will fail. one quick but ugly hack would be to handle FR_ACT_TO_TBL rules differently than the others in fib6_rule_match(). I don't necessarily recommend this approach, but it could work. What do you say? > The problem starts that both the routing decision and source address > selection is both a routing decision sharing the same logic which > are now conflicting as the behaviour for a "from ANY" requires > different logic. In order to solve this, rules must be restricted to > one of these paths, i.e. a rule intending to make certain prefixes > unreachable may not apply to the source selection logic. This can be > achieved using the 'reason' field I proposed in my netconf slides, it > would allow turning the first rule example into > > rule add from 2001::1/128 for INPUT unreachable > > which would no longer apply when looking up the source address or > deciding the outgoing route. Is there any reason we couldn't implement this? BTW I will not really able to participate in this discussion until Thursday, but please continue! Hopefully someone has a working solution that everyone is ok with by then ;-) I'm currently cooking something up, but I'm not yet sure what will become of it. It might not work at all. It will also change quite a lot of things, so there might be less invasive and cleaner solutions. Let's just say rt6_lookup(), which appears to cause most of these problems, will not be the same... Regards, Ville - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
