[PATCH] Add bridged IPv6 packet filtering

Yasuyuki Kozakai yasuyuki.kozakai at toshiba.co.jp
Thu Sep 2 17:23:37 CEST 2004


Hi,

From: Henrik Nordstrom <hno at marasystems.com>
Date: Thu, 2 Sep 2004 10:31:05 +0200 (CEST)

> On Thu, 2 Sep 2004, Yasuyuki Kozakai wrote:
> 
> > You forgot to find "Jumbo Payload Option" in Hop-by-Hop Options header.
> > Other options may exist in this header.
> >
> > And please truncate packet if actual packet length is greater than
> > Jumbo Payload Length + IPv6 header length.
> 
> Hmm.. a bridge should not touch the packet content unless absolutely 
> needed to fulfill the Ethernet requirements. Why should it do this on 
> IPv6?

Hmm... Indeed, I don't want br_netfilter to change the packet size when just
loading it...

Maybe alternatives are as follows.

	1. drop such packets. This approach is not different with truncating
	   in that output is not same as input when loading it.

	2. change netfilter modules to use payload length in
	   IPv4 header/IPv6 header/Jumbogram option. Maybe many changes are
	   necessary...

	3. Just trust skb->len even if it doesn't consist with payload length
	   in the headers. I'm not sure what happens in this case. At least,
	   we have to be careful not to bring kernel panic and so on.
	   The advantage of this case is that user can select to drop/truncate
	   by inserting filtering rule.

other idea ?

> Does Netfilter require that too large packets have been truncated?

Many netfilter modules assume that skb->len is the right payload length.
And some modules uses this value to calculate checksum.

> 
> Regards
> Henrik
> 

-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai at toshiba.co.jp>



More information about the netfilter-devel mailing list