Hi, On Thu, Nov 28, 2013 at 10:53:24AM +0800, Fan Du wrote: > With this plugin, user could specify IPComp tagged with certain > CPI that host not interested will be DROPped or any other action. > > For example: > iptables -A INPUT -p 108 -m ipcomp --ipcompspi 0x87 -j DROP > > Then input IPComp packet with CPI equates 0x87 will not reach > upper layer anymore. I think that, with a little bit more work, you can add support for IPv6 as well. From RFC 3173: "In the IPv6 context, IPComp is viewed as an end-to-end payload, and MUST NOT apply to hop-by-hop, routing, and fragmentation extension headers. You can perform that IPv6-specific handling to skip these extension headers and reach the IPComp header by means of the ipv6_find_hdr() helper function. BTW, please post the iptables userspace part as well. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
