Date: Thu, 11 Jun 2015 15:49:57 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Fernando Gont <fernando@gont.com.ar> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: PF support for IPv6 Extension Headers Message-ID: <20150611134957.GC2301@vega.codepro.be> In-Reply-To: <5578CECE.2050703@gont.com.ar> References: <5578CECE.2050703@gont.com.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
(From a very quick look at the code) On 2015-06-10 20:57:02 (-0300), Fernando Gont <fernando@gont.com.ar> wrote: > What's the level f support of PF wrt IPv6 Extension Headers? > It's pretty limited. There's code for a few specific header types (fragment, routing, AH, hopopts and dstopts) but nothing generic. That means that none of the things you described (filtering per EH type, EH size or number of EHs) are supported. > pf.conf(5) talks about an implicit block rule for packets employing the > routing header, ... > That appears to be only for the type 0 routing header. Packets with RH0 are always dropped, but other routing headers are left unmolested. See https://www.ietf.org/rfc/rfc5095.txt . Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150611134957.GC2301>