Hi, I have shorewall running on a gateway that gets both IPv4 and IPv6 addresses or prefixes dynamically assigned by my ISP. When I dump the ip6tables rules with ip6tables-restore, I can see certain rules containing anycast addresses for each interface. The rules look like these: -A Broadcast -d 2001:db8:1:1::/128 -j DROP -A Broadcast -d 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -j DROP -A reject -d 2001:db8:1:1::/128 -j DROP -A reject -d 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -j DROP -A smurfs -s 2001:db8:1:1::/128 -g smurflog -A smurfs -s 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -g smurflog
I'd like to know: What generates these rules and can I suppress just these without changing anything else in the ruleset? I tried a few options like removing the nosmurfs option in the interfaces file, since the smurfs chain is referenced here, but that didn't do anything. Neither did any of my attempted changes to shorewall.conf, so I still don't even know what causes these rules to be generated. The reason I'm asking is this: The anycast-related rules are the only ones changing when I reload shorewall6 after my gateway received new IPv6 addresses. Since renumbering occurs frequently on this machine, I'm wondering if I can avoid having to reload shorewall6 all the time. I thought about adding a hook to my DHCPv6 client that could add the anycast addresses for each interface to an ipset, so I could reference just the ipset in my shorewall6 configuration and the ruleset itself could stay the same without the need to reload shorewall6 after renumbering occurs. Thanks and regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
