xt_connlimit 20070628 kernel

Patrick McHardy kaber at trash.net
Wed Jul 4 16:52:58 CEST 2007


Yasuyuki KOZAKAI wrote:
> Logically, IPv6 packets including (almost) mapped addresses can be
> assumed that they belong to IPv4 connection.
> 
> But now I don't want to do that because mapped address can cause security
> issues.
> 
> 	http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-06.txt
> 	(2.2.  IPv4-mapped IPv6 Addresses)
> 
> These issues arise because IPv6 packets including mapped address are handled as
> IPv4 packets. So, to avoid new security issue we don't know yet, I think
> that it's safe not to merge IPv4 connection and IPv6 connection.
> 
> 
> P.S. That's the reason why hash function of nf_conntrack takes address family.


Thanks for the explanation Yasuyuki.



More information about the netfilter-devel mailing list