Skip to content

Route Advertisement breaks firewall

Summary

Route Advertisement is enabled on labs VLAN which unintentionally sets routes automatically on machines that have a labs interface used for bridging (mainly hypervisors). When a packet from labs is received in one of these machines, the rpfilter test on iptables prerouting fails (because the packet is received from the default interface != labs but the machine "has" a direct route to labs), and the packet is dropped.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Send ipv6 packet from a machine in labs to a machine outside labs with a labs interface used for bridging (e.g. dredd).
  2. Run tcpdump/check journal and watch the packet being dropped at the destination for failing the rpfilter test.

Expected behavior

Packet shouldn't be dropped.