public inbox for netfilter@vger.kernel.org
 help / color / mirror / Atom feed
From: Slavko <linux@slavino.sk>
To: netfilter@vger.kernel.org
Subject: IPv6 blackhole route
Date: Sun, 18 Jan 2026 09:22:22 +0100	[thread overview]
Message-ID: <20260118082222.698d9d06@bonifac.skk> (raw)

Hi,

i play with blackhole route on IPv6 and i either did something wrong or
i am somewhat confused... I am in really using on somewhat old OpenWRT
router (Linux 4.4.92 mips, with iptables v1.4.21), but my investigation
was on Debian oldstable (Linux 6.1.0-42-amd64 x86_64, with iptables
v1.8.9 (nf_tables)), inside privileged LXC container (if that matter).

I tried to use TRACE target on Debian, but it fails on rule with match
module, thus no luck to investigate it in more depth on machine with
iptables (with real rules):

    ...
    Error: match extension not found
    xtables-monitor v1.8.9 (nf_tables): Parsing nftables rule failed
    Perhaps xtables-monitor or your kernel needs to be upgraded.
    ...

When i add IPv4 blackhole route, the packet seems to be dropped at
routing decision, at least counters in filter/INPUT chain doesn't grows,
i don't get response for ping and in kernel log (i log from all network
namespaces) i see:

    IPv4: martian source 10.0.0.2 from 10.0.0.3, on dev eth0

But when i try to same with IPv6, eg.:

    ip route add blackhole fd16:b::3/64

(it works even without -6) i do not get ping response, but counters in
filter/INPUT continues to grow and nothing is logged in kernel log, thus
i guess that packet goes behind routing decision.

Please, did i it wrongly or it is expected behavior on IPv6 or ...?

regards

-- 
Slavko
https://www.slavino.sk

                 reply	other threads:[~2026-01-18  8:28 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260118082222.698d9d06@bonifac.skk \
    --to=linux@slavino.sk \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox