Rod Whitworth(glis...@witworx.com) on 2013.08.07 16:14:50 +1000: > On Wed, 7 Aug 2013 07:30:49 +0200, Claudio Jeker wrote: > > >This is from the network stack, it does not mean that bgpd added routes > >for this. For that you should check bgpctl show rib, bgpctl show fib and > >route(8) output. > I'll have to check when some traffic is passing. Pity the error line > doesn't have a timestamp 8-)
check /var/log/messages > >The problem here is that somebody on sis0 is sending you > >packets using link local addresses as source IP to a global IP as > >destination. This is not allowed since there is no way to send packets > >back. So if sis0 is upstream then something is seriously wrong on that > >upstream. > > I dig all that and my attitude was that they should not be doing that > but why is my filter not blocking it anyway? > > deny from any prefix fe80::/10 prefixlen >= 10 # link local > unicast > > Am I missing something there? yes, this: > >This is from the network stack bgpd got nothing to do with it: the box on the other end of your link is sending you this traffic. The network stack sees it (on rcvif sis0), it knows it would have to forward it (through outif vr1) and decides that it cannot do that because link-local -> global unicast is not allowed. All your bgp rule above does is to say "my peer is not allowed to send me link-local routes" via bgp and it probably isnt doing that at all. bgpd does just the route filtering, not the traffic filtering that happens here in the network stack (and that is not configurable). /Benno
