{"id":29,"date":"2012-08-09T10:26:16","date_gmt":"2012-08-09T10:26:16","guid":{"rendered":"https:\/\/chroot-me.in\/newblog\/2012\/08\/29\/"},"modified":"2014-01-30T02:34:04","modified_gmt":"2014-01-30T01:34:04","slug":"how-to-blackhole-ipv4-and-ipv6-traffic-with-gnulinux-quagga-zebra","status":"publish","type":"post","link":"https:\/\/chroot-me.in\/blog\/2012\/08\/how-to-blackhole-ipv4-and-ipv6-traffic-with-gnulinux-quagga-zebra\/","title":{"rendered":"How to blackhole IPv4 and IPv6 traffic with GNU\/Linux + Quagga + Zebra"},"content":{"rendered":"

IPv6 black-holing (null routing<\/a>, or the action to silently discard traffic matching a given destination IP prefix) is bugged with Quagga<\/strong> and\/or iproute2<\/strong>. Indeed, none of the following commands seems to be working:<\/p>\n

\n
quagga-router(config)# ipv6 route 2001:db8::\/32 lo blackhole\r\n\r\nlinux-shell$ ip -6 route add blackhole 2001:db8::\/32<\/pre>\n<\/div>\n
Notice that the quagga command requires an interface, while its IPv4 counterpart doesn’t. I tested with the linux loopback interface lo<\/strong> and a dummy interface ds0<\/strong> trying to mimick the FreeBSD discard interface, in vain. The iproute2 command also fails and it is apparently a known bug since 2003, wtf?<\/p>\n
So how to circumvent this buggy behavior without breaking in blood tears?<\/p>\n
Well, simply use a dummy interface and static, high metric routes. Here is the \/etc\/network\/interfaces<\/strong> snippet from my debian routers for null routing 2001:db8::\/32<\/strong> and 192.168.168.0\/24<\/strong>:<\/p>\n
\n
# blackhole\r\niface ds0 inet manual\r\n pre-up ip link add dev ds0 type dummy\r\n pre-up ip link set ds0 up\r\n up ip -6 route add 2001:db8::\/32 dev ds0 proto static metric 255\r\n up ip -4 route add 192.168.168.0\/24 dev ds0 proto static metric 255\r\n down ip link del dev ds0<\/pre>\n<\/div>\n
If you know any proper method to achieve the same result, please share. Mine is dirty, but at least I am not leaking traffic or looping back and forth with my upstream router anymore. Yay!<\/p>\n","protected":false},"excerpt":{"rendered":"
IPv6 black-holing (null routing, or the action to silently discard traffic matching a given destination IP prefix) is bugged with Quagga and\/or iproute2. Indeed, none of the following commands seems to be working: quagga-router(config)# ipv6 route 2001:db8::\/32 lo blackhole linux-shell$ ip -6 route add blackhole 2001:db8::\/32 Notice that the quagga command requires an interface, while … Continuer la lecture de « How to blackhole IPv4 and IPv6 traffic with GNU\/Linux + Quagga + Zebra »<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,4],"tags":[],"class_list":["post-29","post","type-post","status-publish","format-standard","hentry","category-english","category-geek"],"_links":{"self":[{"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/posts\/29","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/comments?post=29"}],"version-history":[{"count":0,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/posts\/29\/revisions"}],"wp:attachment":[{"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/media?parent=29"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/categories?post=29"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/tags?post=29"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}