*Deny* prefix to specific clients

[gtxaspec]

Hello,

According to the radvd documentation, there exists a method to assign a prefix to specific clients, only. I don't see a way to deny specific clients only... is this a possibility under the current implementation?

Thanks

[stappersg]

On Sun, Jan 30, 2022 at 08:07:25PM -0800, gtxaspec wrote:

According to the radvd documentation ...

What is the (deep) link to that statement?

[robbat2]

radvd.conf(5) does cover the clients {} block within the interface <name> {} block, but that does not permit specific prefixes per client. As documented here https://github.com/radvd-project/radvd/blob/master/radvd.conf.5.man#L107-L118

Normally, radvd operates in a broadcast/multicast mode, which does not use any client-specific addressing (a client might never transmit a router solicitation, and then the radvd node will have zero knowledge it exists).

If you use UnicastOnly option, or the clients block, then radvd switches to a unicast-only mode. Clients that do not implement RouterSolicit will NOT work with such a configuration (they're violating the RFC, but you don't have control over that).

Conceptually, we could implement a not-clients block, which would run in unicast, and just invert the behavior of accepting specific clients to instead deny specific clients.

This option would be compatible with the RFCs, but will still break those same clients. I'd probably implement it as a boolean option that just flipped the behavior of the clients block.

Would this solve what you want?

[Neustradamus]

@gtxaspec: Have you seen @stappersg and @robbat2 comments?