> On Jun 4, 2026, at 11:25 AM, Claudio Jeker <[email protected]> wrote: > > On Thu, Jun 04, 2026 at 03:56:36PM +0100, Florian Obser wrote: >>> On 2026-06-03 23:35 UTC, "Landy, Brian" <[email protected]> wrote: >>> Should dhcp6leased automatically install routes for delegated prefixes >>> in the source interface’s rdomain when the assigned interfaces are in >>> different rdomains? If not, what is a good way to monitor dhcp6leased >>> for changes so I can automate adding those routes when needed? Or I >>> could use dhcpcd since it has hooks, but I’d like to use dhcp6leased >>> if possible. >> >> dhcp6leased(8) should to the right thing[tm] automagically. >> Hooks are to be avoided at all costs, to wit: CVE-2026-42512, >> CVE-2026-42511 >> >> I need to re-read your email when I'm less tired to figure out what the >> right thing is. >> >> I'd also be interested in the opinion of other people familiar with >> rdomains. > > This is a complex question. In general I would expect that dhcp6leased > does not cross rdomain boundaries. I would expect that for > request prefix delegation on em0 for em1 > to work that both em0 and em1 run in the same rdomain. > Delegating a prefix from one rdomain to a different one is certainly not > common and requires extra config to work since you can't trivally jump > rdomains so why would you delegate a prefix. > > -- > :wq Claudio >
Let me clarify, dhcp6leased already does cross rdomains. It will request a prefix from the ISP in one rdomain and delegate subsets of it to interfaces in other rdomains. It creates the required routes in the rdomain of the interface(s) receiving the assignment(s). All that works today, without the need to run dhcp6leased in a specific rdomain. Then, as long as dhcp6leased cannot install the reject route for the whole prefix, I can use pf (and rport) to jump rdomains. If it installs the reject route, which it should, then my thought was that dhcp6leased needs to install the routes for delegated prefixes in both rdomains. Is the alternative to assign ULAs internally and use NAT for ip6? Is that the recommended approach? Best, Brian
