Re: IPFILTER IPv6 support non-functional?
From: itojun@iijlab.net
Date: 03/01/01
- Next message: Brooks Davis: "Re: ssh -t <host> /bin/sh trick (was Re: ftp access)"
- Previous message: Nate Williams: "RE: ssh tricks (was Re: ssh -t <host> /bin/sh trick (was Re: ftp"
- In reply to: Hajimu UMEMOTO: "Re: IPFILTER IPv6 support non-functional?"
- Next in thread: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Hajimu UMEMOTO <ume@mahoroba.org> From: itojun@iijlab.net Date: Thu, 01 Mar 2001 13:01:39 +0900
>> Would the KAME people have problems integrating this patch to enable
>> IPv6 for IP-filter?
>I believe KAME doesn't maintain IP-filter at all. But, itojun said
>that calculation of payload length is wrong.
yup, that is what i saw in the latest. also ipf does not chase
extension headers, so even if you try to filter tcp, "tcp with
routing header" will go through. not sure how should we model filter
languages in presense of header chain.
I guess it safer to enable it in main trunk, and get it tested against
IPv6 traffic for some time. it looks that there's too little time
for 4.3 to have IPv6 ipf enabled.
itojun
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Brooks Davis: "Re: ssh -t <host> /bin/sh trick (was Re: ftp access)"
- Previous message: Nate Williams: "RE: ssh tricks (was Re: ssh -t <host> /bin/sh trick (was Re: ftp"
- In reply to: Hajimu UMEMOTO: "Re: IPFILTER IPv6 support non-functional?"
- Next in thread: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
