Re: IPFILTER IPv6 support non-functional?
From: itojun@iijlab.net
Date: 03/01/01
- Next message: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Previous message: Roelof Osinga: "Re: ftp access"
- Maybe in reply to: Hajimu UMEMOTO: "Re: IPFILTER IPv6 support non-functional?"
- Next in thread: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Reply: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Darren Reed <darrenr@reed.wattle.id.au> From: itojun@iijlab.net Date: Thu, 01 Mar 2001 16:34:37 +0900
>> yup, that is what i saw in the latest. also ipf does not chase
>> extension headers, so even if you try to filter tcp, "tcp with
>> routing header" will go through. not sure how should we model filter
>> languages in presense of header chain.
>Aren't TCP, UDP and ICMP required to be the "last header" ? That is,
>they must be preceeded by routing headers, etc.
that is what I was trying to mean.
TCP/UDP/ICMP are the last header, routing headers are placed between
IPv6 header and TCP headers.
so a TCP packet with routing header will be like this:
IPv6 routing TCP payload
ip6_nxt is IPPROTO_ROUTING, and ip6e_nxt in routing header will be
IPPROTO_TCP.
fil.c:fr_check() does not seem to skip these intermediate headers,
so the above packet will pass "drop tcp packets" filter.
itojun
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Previous message: Roelof Osinga: "Re: ftp access"
- Maybe in reply to: Hajimu UMEMOTO: "Re: IPFILTER IPv6 support non-functional?"
- Next in thread: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Reply: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
