On 03/12/17 00:47, Arne Schwabe wrote:
> Am 02.12.17 um 17:24 schrieb Antonio Quartulli:
>> Some ICMPv6 packets can't be dropped otherwise the entire
>> overlaying network layer (IPv6) would just stop working.
>>
>> Such packets are described in RFC4890, sec. 4.4.1.
>>
>> Improve the mroute packet parsing routine in order to detect
>> these specific packets types and thus avoid PF to drop them.
>>
>> This way, when PF is enabled, the user won't need to whitelist
>> any specific multicats IPv6 address. PF will just work as
>> expected.
>
> (&b);
>> +
>> + switch (type)
>> + {
>> + /*
>> + * By following the guideline of RFC4890, sec. 4.4.1, the
>> + * following are the ICMPv6 packet types that are strictly
>> + * required to let a host join a IPv6 network.
>> + * Therefore, such packets can't be dropped by PF.
>> + */
>> + case OPENVPN_ND_ROUTER_SOLICIT:
>> + case OPENVPN_ND_ROUTER_ADVERT:
>> + case OPENVPN_ND_NEIGHBOR_SOLICIT:
>> + case OPENVPN_ND_NEIGHBOR_ADVERT:
>> + case OPENVPN_ND_INVERSE_SOLICIT:
>> + case OPENVPN_ND_INVERSE_ADVERT:
>> + return true;
>> + }
>> + return false;
>> +}
>
>
> I think we should still drop tehse if they do not target the local
> network. Otherwise you can just send all information hidden in these
> packet types.You mean dropping packets not a having link-local address as destination (for unicasts)? Cheers, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
