From owner-freebsd-security Wed Feb 28 23:34:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 8B69B37B719; Wed, 28 Feb 2001 23:34:42 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W/smtpfeed 1.06) with ESMTP id QAA17942; Thu, 1 Mar 2001 16:34:37 +0900 (JST) To: Darren Reed Cc: ume@mahoroba.org, Arjan.deVet@adv.iae.nl, n@nectar.com, freebsd@dohd.org, rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org In-reply-to: darrenr's message of Thu, 01 Mar 2001 18:23:31 +1100. <200103010723.SAA10342@avalon.reed.wattle.id.au> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPFILTER IPv6 support non-functional? From: itojun@iijlab.net Date: Thu, 01 Mar 2001 16:34:37 +0900 Message-ID: <17940.983432077@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> yup, that is what i saw in the latest. also ipf does not chase >> extension headers, so even if you try to filter tcp, "tcp with >> routing header" will go through. not sure how should we model filter >> languages in presense of header chain. >Aren't TCP, UDP and ICMP required to be the "last header" ? That is, >they must be preceeded by routing headers, etc. that is what I was trying to mean. TCP/UDP/ICMP are the last header, routing headers are placed between IPv6 header and TCP headers. so a TCP packet with routing header will be like this: IPv6 routing TCP payload ip6_nxt is IPPROTO_ROUTING, and ip6e_nxt in routing header will be IPPROTO_TCP. fil.c:fr_check() does not seem to skip these intermediate headers, so the above packet will pass "drop tcp packets" filter. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message