Hello, > $ sudo ip route add to blackhole 2001::1/128 dev lo > $ ip -6 ro sh | grep 2001::1 > unreachable 2001::1 dev lo metric 1024 error -101 mtu 16436 advmss 16376 > hoplimit 4294967295 > $ ping6 -c 1 2001::1 > connect: Network is unreachable
Interestingly this work fine with lo interfaces, but not with "real" interfaces. (to ensure our default gw is not blackholed as per default) $ ip -6 route add default via fe80::1 dev eth0 $ ip route add to blackhole 2001::1/128 dev eth1 $ ip -6 route | grep 2001::1 2001::1 dev eth1 metric 1024 expires 21334286sec mtu 1500 advmss 1440 hoplimit 4294967295 (looks just like a normal route) $ ping6 -c 1 2001::1 PING 2001::1(2001::1) 56 data bytes From fe80::2e0:18ff:fe66:e24a icmp_seq=1 Destination unreachable: Address unreachable (at the same time) $ tcpdump -i eth1 -n -p ip6 listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 20:57:46.983658 IP6 fe80::xxxx:xxxx:xxxx:xxxx > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2001::1, length 32 <no answer, obviously> (afterwards) $ ip -6 neigh | grep 2001::1 2001::1 dev eth1 FAILED Hence this route is just a normal device route, despite the blackhole type being specified in the command. But of course, the device doesn't matter, so dev lo seems fine. On the other hand, unreachable is not the same as blackhole, at least in IPv4, so even the dev lo version doesn't really do what one would expect from the man page. So I'd still call this a bug, either in the documentation or the iproute/kernel implementation, albeit a less severe one, as the dev lo thing should be a valid alternative in most cases (unless you really just want those packets to be dropped instead of also sending out ICMP unreachable messages). Thomas
signature.asc
Description: This is a digitally signed message part
