On Fri, Dec 06, 2013 at 05:56:09PM +0800, Fan Du wrote: > > > On 2013年12月06日 02:34, Pablo Neira Ayuso wrote: > >Hi, > > > >On Thu, Nov 28, 2013 at 10:53:24AM +0800, Fan Du wrote: > >>With this plugin, user could specify IPComp tagged with certain > >>CPI that host not interested will be DROPped or any other action. > >> > >>For example: > >>iptables -A INPUT -p 108 -m ipcomp --ipcompspi 0x87 -j DROP > >> > >>Then input IPComp packet with CPI equates 0x87 will not reach > >>upper layer anymore. > > > >I think that, with a little bit more work, you can add support for > >IPv6 as well. From RFC 3173: > > > >"In the IPv6 context, IPComp is viewed as an end-to-end payload, and > >MUST NOT apply to hop-by-hop, routing, and fragmentation extension > >headers. > > > >You can perform that IPv6-specific handling to skip these extension > >headers and reach the IPComp header by means of the ipv6_find_hdr() > >helper function. I just noted that you always have to use -p 108 to get this match working, in that case the ip6_tables already sets par->thoff that you can use to reach the transport header, so you can skip calling ipv6_find_hdr(). So adding IPv6 support is even easier to make. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
