Extension headers and firewalls

Simon Perreault simon.perreault at viagenie.ca
Fri Jul 20 16:07:27 CEST 2012

Le 2012-07-20 04:10, Brian E Carpenter a écrit :
> I'm hearing that shim6 headers are blocked by the BSD pf firewall, and that
> the problem extends to other types of extension header.

pf has no special knowledge of shim6. It considers shim6 as a transport 
protocol and doesn't look beyond it. So the only way to make pf pass 
shim6 packets is with a "pass" rule allowing all protocols or with a 
"pass proto 140" rule allowing the shim6 header specifically (but then 
you can't filter based on what follows).

It should be fairly easy (and fun!) to add. Check out pf_walk_header6() 
in pf.c:

DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca

More information about the ipv6-ops mailing list