Proto 41 filtering and processing...

Michael H. Warfield mhw at wittsend.com
Mon Sep 13 19:45:39 CEST 2004


Hey all,

	I've got some questions and some observations viv-a-vis proto 41
filtering (that "named" ipv6 but, what it really is, is 6over4 in the
IPv4 tables).  These are problems where IPv4 and IPv6 interreact or
interoperate and some recognition of both layers simultaniously is
required.

	There are cases where, in handling protocol 41 traffic, I want
to respond with IPv4 errors codes.  For instance, if I receive 6to4
traffic (protocol 41 traffic with IPv6 addresses in the 2002::/16
range) from an IPv6 range I don't want to talk to, I want to send back
and IPv4 ICMP protocol unreachable (indicating that I'm not going to
talk protocol 41 with him - think scanners).  To generate the IPv4 ICMP
unreachable error, this needs to be done in the IPv4 tables, correct?
But to select out the packets, I need to examine the IPv6 addresses in
the next header up.  So it's examination of the IPv6 information in the
6over4 protocol (proto 41) by the IPv4 iptables.

	Any thoughts on the best way to accomplish this?

	Second problem...

	Someone issues a proto 41 packet addressed to me but it doesn't
come FROM any source address I recognize in any of my SIT tunnels.  So,
it shows up as proto 41 in the IPv4 tables (does it?).  Does it show up
at all in any of the IPv6 tables?  If so, what input device?  If not, how
is the error generated?  Is it an IPv6 error from one of the IPv6 addresses
or is it an IPv4 error?  Thoughts on that?

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20040913/693639fc/attachment.bin


More information about the netfilter mailing list