[PATCH] Add bridged IPv6 packet filtering
Yasuyuki Kozakai
yasuyuki.kozakai at toshiba.co.jp
Thu Sep 2 17:23:37 CEST 2004
Hi,
From: Henrik Nordstrom <hno at marasystems.com>
Date: Thu, 2 Sep 2004 10:31:05 +0200 (CEST)
> On Thu, 2 Sep 2004, Yasuyuki Kozakai wrote:
>
> > You forgot to find "Jumbo Payload Option" in Hop-by-Hop Options header.
> > Other options may exist in this header.
> >
> > And please truncate packet if actual packet length is greater than
> > Jumbo Payload Length + IPv6 header length.
>
> Hmm.. a bridge should not touch the packet content unless absolutely
> needed to fulfill the Ethernet requirements. Why should it do this on
> IPv6?
Hmm... Indeed, I don't want br_netfilter to change the packet size when just
loading it...
Maybe alternatives are as follows.
1. drop such packets. This approach is not different with truncating
in that output is not same as input when loading it.
2. change netfilter modules to use payload length in
IPv4 header/IPv6 header/Jumbogram option. Maybe many changes are
necessary...
3. Just trust skb->len even if it doesn't consist with payload length
in the headers. I'm not sure what happens in this case. At least,
we have to be careful not to bring kernel panic and so on.
The advantage of this case is that user can select to drop/truncate
by inserting filtering rule.
other idea ?
> Does Netfilter require that too large packets have been truncated?
Many netfilter modules assume that skb->len is the right payload length.
And some modules uses this value to calculate checksum.
>
> Regards
> Henrik
>
-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai at toshiba.co.jp>
More information about the netfilter-devel
mailing list