Date: Thu, 01 Mar 2001 16:34:37 +0900 From: itojun@iijlab.net To: Darren Reed <darrenr@reed.wattle.id.au> Cc: ume@mahoroba.org, Arjan.deVet@adv.iae.nl, n@nectar.com, freebsd@dohd.org, rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org Subject: Re: IPFILTER IPv6 support non-functional? Message-ID: <17940.983432077@coconut.itojun.org> In-Reply-To: darrenr's message of Thu, 01 Mar 2001 18:23:31 %2B1100. <200103010723.SAA10342@avalon.reed.wattle.id.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>> yup, that is what i saw in the latest. also ipf does not chase >> extension headers, so even if you try to filter tcp, "tcp with >> routing header" will go through. not sure how should we model filter >> languages in presense of header chain. >Aren't TCP, UDP and ICMP required to be the "last header" ? That is, >they must be preceeded by routing headers, etc. that is what I was trying to mean. TCP/UDP/ICMP are the last header, routing headers are placed between IPv6 header and TCP headers. so a TCP packet with routing header will be like this: IPv6 routing TCP payload ip6_nxt is IPPROTO_ROUTING, and ip6e_nxt in routing header will be IPPROTO_TCP. fil.c:fr_check() does not seem to skip these intermediate headers, so the above packet will pass "drop tcp packets" filter. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17940.983432077>