Hi Pascal. On Sat, 2013-07-27 at 21:49 +0200, Pascal Hambourg wrote: > You should not blindly drop UNTRACKED or INVALID IPv6 packets. I see,... thanks. Why not INVALID IPv6 packets? AFAICS, the patch you've mentioned only removes tracking for these kinds of packets, but doesn't mark them invalid. 1) So... are there any other reasonable default rules one should make for IPv6 (or IPv4) then? I guess the kernel itself already assures that any address of his own interfaces are not accepted as source address for packages coming over the wire? I.e. to prevent spoofing of the hosts own addresses. 2) What about INVALID/UNTRACKED with respect to IPv4? Is it there still advisable to DROP them unconditionally? Oh and btw: Does the IPsec handling I do still work with IPv6 or has anything changed there as well? I.e. the idea is that I jump to the ipsec-only-in/out chain for any source/destination host with that I want to accept only incoming/outgoing packages when they're IPsec'ed. The jump happens of course before the: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Thanks, Chris. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
