From owner-freebsd-security Wed Feb 28 12: 2:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 304FC37B718; Wed, 28 Feb 2001 12:02:49 -0800 (PST) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.2+3.4W/3.7W-light/smtpfeed 1.10) with UUCP id f1SK1br01095; Thu, 1 Mar 2001 05:01:37 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:HpR0Oasz/YnF9QDv6STQ4ew2RG2HHLYzEhjnBUDzL6O6jNMOcRAtet6gSNAZwrj0@peace.mahoroba.org [2001:200:301:0:200:f8ff:fe05:3eae]) by mail.mahoroba.org (8.11.2/8.11.2/chaos) with ESMTP/inet6 id f1SJwPB12338; Thu, 1 Mar 2001 04:58:25 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Thu, 01 Mar 2001 04:58:25 +0900 (JST) Message-Id: <20010301.045825.71113666.ume@mahoroba.org> To: Arjan.deVet@adv.iae.nl Cc: n@nectar.com, freebsd@dohd.org, rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org Cc: itojun@iijlab.net Subject: Re: IPFILTER IPv6 support non-functional? From: Hajimu UMEMOTO In-Reply-To: <20010228204903.A7822@adv.devet.org> References: <20010228094504.A56540@hamlet.nectar.com> <20010228181426.A9026@dohd.org> <20010228204903.A7822@adv.devet.org> X-Mailer: xcite1.38> Mew version 1.95b97 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> On Wed, 28 Feb 2001 20:49:03 +0100 >>>>> Arjan de Vet said: Arjan.deVet> Mark Huizer wrote: >I (and Guido van Rooij) had a look at this during a boring meeting some >time ago, but it seems there were a few patches missing in the -current >tree (something like the stuff in ipv6-patch in the FreeBSD-4.0 >directory). Arjan.deVet> Indeed. That piece of code is not present in both -current and -stable. Arjan.deVet> The ipv6-patch-4.1 file from the ipfilter distribution patches without Arjan.deVet> problems and I've checked that the -stable kernel compiles with INET6 Arjan.deVet> and IPFILTER enabled. I don't have an IPv6 setup myself so I cannot test Arjan.deVet> it. >But for the record: no, ipfilter doesn't work with filtering >IPv6 in the current setup in FreeBSD -current Arjan.deVet> The missing code from that patch would indeed explain that. Arjan.deVet> Would the KAME people have problems integrating this patch to enable Arjan.deVet> IPv6 for IP-filter? I believe KAME doesn't maintain IP-filter at all. But, itojun said that calculation of payload length is wrong. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message