It took me a while to find out the root cause of "Permission defined" (EACCES). They should be caused by iif lo failed_policy rule installed by OpenWrt patches
- target/linux/generic/pending-4.19/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch
- package/network/utils/iproute2/patches/180-drop_FAILED_POLICY.patch
My current understanding of the situation is that when doing source address selection
- Kernel does route lookup to find output device. This will fail because no route matches. Those default routes in main table are all constrained by "from" directive. Those default routes in table 2 and 4 are guarded by "from" directive in ip-rules
- With output device unspecified, "Rule 5: Prefer outgoing interface." of rfc3484 will not apply. "Rule 8: Use longest matching prefix. " results in tie for destination 2800:3f0:4001:800::200e. The source address selection algorithm is free to use scope global addresses from other interfaces, e.g. pppoe-wan, etc.
If the above assumption holds, after source address selection, we end up with fl6.saddr from "pppoe-wan" and fl6.flowi6_oif being "eth0.3" (SO_BINDTODEVICE).
Then kernel does route lookup again to find output route, it fails again hitting iif lo failed_policy. And this time the EACCES will be returned to userspace.
My conclusion is that source address constrained routes in main table should be the cause. However I am not sure why they are there and preferred over the traditional destination based routes.
There are a few ways to check and confirm the level of correctness the above words are.
# ping another address so that "Rule 8: Use longest matching prefix. "
# prefers "2804:14c:658b:1000:45d7:3d14:cfdc:66cd/128" from eth0.3 .
#
# Timeout is not a concern we just want to make sense the
# "Permission denied" error.
ping -I eth0.3 2804:14...
ping -I pppoe-wan 2804:14...
# remove those "default from xxx" routes from main table
# and replace them with traditional ones.
ip -6 route del default from 2804:14c:658b:1000:45d7:3d14:cfdc:66cd via fe80::201:5cff:fe66:7646 dev eth0.3 proto static metric 512 pref medium
ip -6 route del default from 2804:14c:658b:5fed::/64 via fe80::201:5cff:fe66:7646 dev eth0.3 proto static metric 512 pref medium
ip -6 route del default from 2804:1b2:182:d768::/64 via fe80::6b0:e7ff:fec9:4557 dev pppoe-wan proto static metric 512 pref medium
ip -6 route del default from 2804:1b2:206:520::/64 via fe80::6b0:e7ff:fec9:4557 dev pppoe-wan proto static metric 512 pref medium
ip -6 route add default via fe80::201:5cff:fe66:7646 dev eth0.3 proto static metric 512 pref medium
ip -6 route add default via fe80::201:5cff:fe66:7646 dev eth0.3 proto static metric 512 pref medium
ip -6 route add default via fe80::6b0:e7ff:fec9:4557 dev pppoe-wan proto static metric 512 pref medium
ip -6 route add default via fe80::6b0:e7ff:fec9:4557 dev pppoe-wan proto static metric 512 pref medium
ping -c 2 -I pppoe-wan ipv6.google.com
ping -c 2 -I eth0.3 ipv6.google.com