From owner-freebsd-security Sat Mar 3 22:45:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailin1.bigpond.com (unknown [139.134.6.21]) by hub.freebsd.org (Postfix) with ESMTP id 89BC637B718 for ; Sat, 3 Mar 2001 22:45:06 -0800 (PST) (envelope-from darrenr@reed.wattle.id.au) Received: from CPE-61-9-164-106.vic.bigpond.net.au ([139.134.4.54]) by mailin1.bigpond.com (Netscape Messaging Server 4.15) with SMTP id G9IJ5S01.FKO; Thu, 1 Mar 2001 19:46:40 +1000 Received: from CPE-61-9-164-181.vic.bigpond.net.au ([61.9.164.181]) by mail6.bigpond.com (Claudes-Caring-MailRouter V2.9c 11/5030797); 01 Mar 2001 19:41:57 Received: (from root@localhost) by CPE-61-9-164-106.vic.bigpond.net.au (8.11.0/8.11.0) id f219fqs00984; Thu, 1 Mar 2001 20:41:52 +1100 From: Darren Reed Message-Id: <200103010941.UAA10618@avalon.reed.wattle.id.au> Subject: Re: IPFILTER IPv6 support non-functional? In-Reply-To: <19523.983437566@coconut.itojun.org> from "itojun@iijlab.net" at "Mar 1, 1 06:06:06 pm" To: itojun@iijlab.net Date: Thu, 1 Mar 2001 20:41:38 +1100 Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some email I received from itojun@iijlab.net, sie wrote: > >But at the same time they WILL NOT MATCH "pass tcp packets" either. > > > >Generally, the policy should be "block everything, permit what you want" > >and in that case you would end up dropping things with IPPROTO_ROUTING, > >etc. Even a basic ruleset like: > > > >block in all > >block out all > >pass out proto tcp/udp all > >pass in proto tcp/udp all > > > >will block all the IPv6 packets with routing headers, etc. > > but then what if you would like to permit packets with extension > headers? or like only certain combinations? > most of the existing packet filter languages have the same issue, btw. Or even, what if you want allow particular combinations or sequences or maybe chains of a particular length ? As it is, IP Filter can easily filter on whether a particular extension header is there or not once I make it recognise them using a procedure similar to looking for IP options in fr_makefrip(). What'll actually be harder is looking for all the assumptions about the "final protocol header" being the "next header" after the IPv{4,6} header and making sure as much as possible goes into the *same* mbuf. Ugh. Anyway, once all that is sorted out, the filtering will be limited to what can be done with IPv4 options - is that sufficient ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message