Expand the description of 'noanycast' in shorewall-interfaces(5)

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 07:33:43 +01:00 · 2020-09-09 12:33:01 -07:00 · 2020-09-09 12:33:01 -07:00 · 774be17a32
commit 774be17a32
parent 6120eba8f9
1 changed files with 43 additions and 5 deletions
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@ -631,11 +631,49 @@ loc     eth2            -</programlisting>
              <term>noanycast</term>

              <listitem>
-                <para>IPv6 only. Added in Shorewall 5.2.8. Shorewall6 normally
-                generates rules to silently drop anycast packets for subnets
-                on all available interfaces. This can be inhibited for
-                individual interfaces by specifying <emphasis
-                role="bold">noanycast</emphasis> for those interfaces.</para>
+                <para>IPv6 only. Added in Shorewall 5.2.8.</para>
+
+                <para>Shorewall6 has traditionally generated rules for IPv6
+                <emphasis>anycast</emphasis> addresses. These rules
+                include:</para>
+
+                <orderedlist numeration="loweralpha">
+                  <listitem>
+                    <para> Packets with these destination IP addresses are
+                    dropped by REJECT rules.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para> Packets with these source IP addresses are dropped
+                    by the 'nosmurfs' interface option and by the 'dropSmurfs'
+                    action.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are not
+                    logged during policy enforcement.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    processes by the 'Broadcast' action.</para>
+                  </listitem>
+                </orderedlist>
+
+                <para>This can be inhibited for individual interfaces by
+                specifying <emphasis role="bold">noanycast</emphasis> for
+                those interfaces.</para>
+
+                <note>
+                  <para>RFC 2526 describes IPv6 subnet anycast addresses. The
+                  RFC makes a distinction between subnets with "IPv6 address
+                  types required to have 64-bit interface identifiers in
+                  EUI-64 format" and all other subnets. When generating these
+                  anycast addresses, the Shorewall compiler does not make this
+                  distinction and unconditionally assumes that the last 128
+                  addresses in the subnet are reserved as anycast
+                  addresses.</para>
+                </note>
              </listitem>
            </varlistentry>