Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 01 Mar 2001 18:49:13 +0900
From:      itojun@iijlab.net
To:        Darren Reed <darrenr@reed.wattle.id.au>
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPFILTER IPv6 support non-functional?
Message-ID:  <20257.983440153@coconut.itojun.org>
In-Reply-To: darrenr's message of Thu, 01 Mar 2001 20:41:38 %2B1100. <200103010941.UAA10618@avalon.reed.wattle.id.au>
next in thread | previous in thread | raw e-mail | index | archive | help 

>> 	but then what if you would like to permit packets with extension
>> 	headers?  or like only certain combinations?
>> 	most of the existing packet filter languages have the same issue, btw.
>Or even, what if you want allow particular combinations or sequences or
>maybe chains of a particular length ?
>As it is, IP Filter can easily filter on whether a particular extension
>header is there or not once I make it recognise them using a procedure
>similar to looking for IP options in fr_makefrip().  What'll actually be
>harder is looking for all the assumptions about the "final protocol
>header" being the "next header" after the IPv{4,6} header and making
>sure as much as possible goes into the *same* mbuf.  Ugh.

	i highly recommend you to avoid m_pullup at all, and use m_copydata
	as necessary.  m_pullup works only if the header part is
	smaller than MLEN (there's no upper bound in ip6 header length).
	once m_pullup fails, the packet will go away - this is not desirable.

	also, i remember that there are functions in fil.c that pass around
	memory regions without passing memory region length...
	i'd like to suggest to pass around mbuf *, but i know that the
	portability issue will not permit that to you.  so i'd recommend
	to always pass around <buf + length> pairs

>Anyway, once all that is sorted out, the filtering will be limited to
>what can be done with IPv4 options - is that sufficient ?

	i guess so, but i'm not 100% certain.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20257.983440153>