Re: IPFILTER IPv6 support non-functional?

From: itojun@iijlab.net
Date: 03/01/01 

To: Darren Reed <darrenr@reed.wattle.id.au>
From: itojun@iijlab.net
Date: Thu, 01 Mar 2001 18:49:13 +0900

>> but then what if you would like to permit packets with extension
>> headers? or like only certain combinations?
>> most of the existing packet filter languages have the same issue, btw.
>Or even, what if you want allow particular combinations or sequences or
>maybe chains of a particular length ?
>As it is, IP Filter can easily filter on whether a particular extension
>header is there or not once I make it recognise them using a procedure
>similar to looking for IP options in fr_makefrip(). What'll actually be
>harder is looking for all the assumptions about the "final protocol
>header" being the "next header" after the IPv{4,6} header and making
>sure as much as possible goes into the *same* mbuf. Ugh.

        i highly recommend you to avoid m_pullup at all, and use m_copydata
        as necessary. m_pullup works only if the header part is
        smaller than MLEN (there's no upper bound in ip6 header length).
        once m_pullup fails, the packet will go away - this is not desirable.

        also, i remember that there are functions in fil.c that pass around
        memory regions without passing memory region length...
        i'd like to suggest to pass around mbuf *, but i know that the
        portability issue will not permit that to you. so i'd recommend
        to always pass around <buf + length> pairs

>Anyway, once all that is sorted out, the filtering will be limited to
>what can be done with IPv4 options - is that sufficient ?

        i guess so, but i'm not 100% certain.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: How to judge if a filter "filters" anything against a sequence
    ... > filter really filters out anything against a particular sequence (or ... both filters have a length of 3 and a transient response of 2. ... Therefore you won't have steady state response until the third sample is ... the sequences you're applying have length 4. ...
    (comp.dsp)
  • Re: FIR Bandpass filtering (C code)
    ... sense if the data they operate on fit in a framework ... It will not be a _meaningful_ result unless the data fit ... number sequences up into two disjoint sets. ... shaped with the spectrum of the filter. ...
    (comp.dsp)
  • Re: How to judge if a filter "filters" anything against a sequence
    ... > My purpose is that if I have two input sequences, ... sequences on a filter. ... The s1 sequence will give you the step response ... > might be what I want: to express filtering in everyday words. ...
    (comp.dsp)
  • Re: Magnitude frequency response
    ... However the filter coefficients are know, ... What I don't know how do is obtain the frequency response ... from the input and output sequences alone. ... to each driving frequency individually. ...
    (comp.dsp)
  • Re: Iterating across a filtered list
    ... breaking the if statement away from the iteration) ... I think the multiple statement version is more in Python tradition. ... While sequences are iterables, ... place, e.g. creating some sequence and passing it through map, filter, etc. ...
    (comp.lang.python)