From owner-freebsd-security Wed Feb 28 20: 1:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id DCB4737B718; Wed, 28 Feb 2001 20:01:47 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W/smtpfeed 1.06) with ESMTP id NAA14302; Thu, 1 Mar 2001 13:01:39 +0900 (JST) To: Hajimu UMEMOTO Cc: Arjan.deVet@adv.iae.nl, n@nectar.com, freebsd@dohd.org, rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org In-reply-to: ume's message of Thu, 01 Mar 2001 04:58:25 JST. <20010301.045825.71113666.ume@mahoroba.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPFILTER IPv6 support non-functional? From: itojun@iijlab.net Date: Thu, 01 Mar 2001 13:01:39 +0900 Message-ID: <14300.983419299@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Would the KAME people have problems integrating this patch to enable >> IPv6 for IP-filter? >I believe KAME doesn't maintain IP-filter at all. But, itojun said >that calculation of payload length is wrong. yup, that is what i saw in the latest. also ipf does not chase extension headers, so even if you try to filter tcp, "tcp with routing header" will go through. not sure how should we model filter languages in presense of header chain. I guess it safer to enable it in main trunk, and get it tested against IPv6 traffic for some time. it looks that there's too little time for 4.3 to have IPv6 ipf enabled. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message