From: Jonas Gorski <jogo@openwrt.org>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, kuznet@ms2.inr.ac.ru, jmorris@namei.org,
yoshfuji@linux-ipv6.org, kaber@trash.net
Subject: Re: [RFC] ipv6: allow rejecting with "source address failed policy"
Date: Sat, 8 Jun 2013 00:40:00 +0200 [thread overview]
Message-ID: <20130608004000.00007ce8@unknown> (raw)
In-Reply-To: <20130607.152730.1116898639369296832.davem@davemloft.net>
On Fri, 07 Jun 2013 15:27:30 -0700 (PDT)
David Miller <davem@davemloft.net> wrote:
> From: Jonas Gorski <jogo@openwrt.org>
> Date: Mon, 3 Jun 2013 16:45:08 +0200
>
> > RFC6204 L-14 requires rejecting traffic from invalid addresses with
> > ICMPv6 Destination Unreachable, Code 5 (Source address failed
> > ingress/ egress policy) on the LAN side, so add an appropriate rule
> > for that.
> >
> > Signed-off-by: Jonas Gorski <jogo@openwrt.org>
>
> I don't see the point of this, there is no difference from the
> existing PROHIBIT other than the error code. Everything that needs to
> be expressed can be done using PROHIBIT.
>
There is a semantic difference. PROHIBIT says the *destination*
address is not allowed, so trying again is pointless.
This one says the while the destination is allowed, the *source*
address is not allowed, and a different source address should be used.
So probably -EAGAIN would be the right error code in that case.
"POLICY_FAILED" is maybe a wrong abbreviation, but the full name is
quite long (I'm open for suggestions).
Of course maybe handling of this kind of message should be added, too;
which should trigger the source address selection to chose a different
one.
Unless you say I can change the ICMPv6 Destination Unreached Code used
through appropriate rules, then this might be redundant.
Regards
Jonas
prev parent reply other threads:[~2013-06-07 22:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-03 14:45 [RFC] ipv6: allow rejecting with "source address failed policy" Jonas Gorski
2013-06-07 22:27 ` David Miller
2013-06-07 22:40 ` Jonas Gorski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130608004000.00007ce8@unknown \
--to=jogo@openwrt.org \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.