Extension headers and firewalls
Simon Perreault
simon.perreault at viagenie.ca
Fri Jul 20 16:07:27 CEST 2012
Le 2012-07-20 04:10, Brian E Carpenter a écrit :
> I'm hearing that shim6 headers are blocked by the BSD pf firewall, and that
> the problem extends to other types of extension header.
pf has no special knowledge of shim6. It considers shim6 as a transport
protocol and doesn't look beyond it. So the only way to make pf pass
shim6 packets is with a "pass" rule allowing all protocols or with a
"pass proto 140" rule allowing the shim6 header specifically (but then
you can't filter based on what follows).
It should be fairly easy (and fun!) to add. Check out pf_walk_header6()
in pf.c:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c?rev=1.808
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
More information about the ipv6-ops
mailing list