Expand the description of 'noanycast' in shorewall-interfaces(5)

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-20 01:37:59 +02:00 · 2020-09-09 12:33:01 -07:00 · 2020-09-09 12:33:01 -07:00 · 774be17a32
commit 774be17a32
parent 6120eba8f9
1 changed files with 43 additions and 5 deletions
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@ -631,11 +631,49 @@ loc     eth2            -</programlisting>
              <term>noanycast</term>
              <listitem>
-                <para>IPv6 only. Added in Shorewall 5.2.8. Shorewall6 normally
+                <para>IPv6 only. Added in Shorewall 5.2.8.</para>
-                generates rules to silently drop anycast packets for subnets
+
-                on all available interfaces. This can be inhibited for
+                <para>Shorewall6 has traditionally generated rules for IPv6
-                individual interfaces by specifying <emphasis
+                <emphasis>anycast</emphasis> addresses. These rules
-                role="bold">noanycast</emphasis> for those interfaces.</para>
+                include:</para>
                <orderedlist numeration="loweralpha">
                  <listitem>
                    <para> Packets with these destination IP addresses are
                    dropped by REJECT rules.</para>
                  </listitem>
                  <listitem>
                    <para> Packets with these source IP addresses are dropped
                    by the 'nosmurfs' interface option and by the 'dropSmurfs'
                    action.</para>
                  </listitem>
                  <listitem>
                    <para>Packets with these destination IP addresses are not
                    logged during policy enforcement.</para>
                  </listitem>
                  <listitem>
                    <para>Packets with these destination IP addresses are
                    processes by the 'Broadcast' action.</para>
                  </listitem>
                </orderedlist>
                <para>This can be inhibited for individual interfaces by
                specifying <emphasis role="bold">noanycast</emphasis> for
                those interfaces.</para>
                <note>
                  <para>RFC 2526 describes IPv6 subnet anycast addresses. The
                  RFC makes a distinction between subnets with "IPv6 address
                  types required to have 64-bit interface identifiers in
                  EUI-64 format" and all other subnets. When generating these
                  anycast addresses, the Shorewall compiler does not make this
                  distinction and unconditionally assumes that the last 128
                  addresses in the subnet are reserved as anycast
                  addresses.</para>
                </note>
              </listitem>
            </varlistentry>