forked from extern/shorewall_code
Expand the description of 'noanycast' in shorewall-interfaces(5)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
6120eba8f9
commit
774be17a32
@ -631,11 +631,49 @@ loc eth2 -</programlisting>
|
||||
<term>noanycast</term>
|
||||
|
||||
<listitem>
|
||||
<para>IPv6 only. Added in Shorewall 5.2.8. Shorewall6 normally
|
||||
generates rules to silently drop anycast packets for subnets
|
||||
on all available interfaces. This can be inhibited for
|
||||
individual interfaces by specifying <emphasis
|
||||
role="bold">noanycast</emphasis> for those interfaces.</para>
|
||||
<para>IPv6 only. Added in Shorewall 5.2.8.</para>
|
||||
|
||||
<para>Shorewall6 has traditionally generated rules for IPv6
|
||||
<emphasis>anycast</emphasis> addresses. These rules
|
||||
include:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para> Packets with these destination IP addresses are
|
||||
dropped by REJECT rules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para> Packets with these source IP addresses are dropped
|
||||
by the 'nosmurfs' interface option and by the 'dropSmurfs'
|
||||
action.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets with these destination IP addresses are not
|
||||
logged during policy enforcement.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets with these destination IP addresses are
|
||||
processes by the 'Broadcast' action.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>This can be inhibited for individual interfaces by
|
||||
specifying <emphasis role="bold">noanycast</emphasis> for
|
||||
those interfaces.</para>
|
||||
|
||||
<note>
|
||||
<para>RFC 2526 describes IPv6 subnet anycast addresses. The
|
||||
RFC makes a distinction between subnets with "IPv6 address
|
||||
types required to have 64-bit interface identifiers in
|
||||
EUI-64 format" and all other subnets. When generating these
|
||||
anycast addresses, the Shorewall compiler does not make this
|
||||
distinction and unconditionally assumes that the last 128
|
||||
addresses in the subnet are reserved as anycast
|
||||
addresses.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user