Hi,
any chance this can be moved forward ?
I have tested a server on Windows 10 and Linux (Various)
and it all appears to work ok.
The question below appears to be an outstanding issue.
Thanks
On 02/12/17 16:49, Antonio Quartulli wrote:
On 03/12/17 00:47, Arne Schwabe wrote:
Am 02.12.17 um 17:24 schrieb Antonio Quartulli:
Some ICMPv6 packets can't be dropped otherwise the entire
overlaying network layer (IPv6) would just stop working.
Such packets are described in RFC4890, sec. 4.4.1.
Improve the mroute packet parsing routine in order to detect
these specific packets types and thus avoid PF to drop them.
This way, when PF is enabled, the user won't need to whitelist
any specific multicats IPv6 address. PF will just work as
expected.
(&b);
+
+ switch (type)
+ {
+ /*
+ * By following the guideline of RFC4890, sec. 4.4.1, the
+ * following are the ICMPv6 packet types that are strictly
+ * required to let a host join a IPv6 network.
+ * Therefore, such packets can't be dropped by PF.
+ */
+ case OPENVPN_ND_ROUTER_SOLICIT:
+ case OPENVPN_ND_ROUTER_ADVERT:
+ case OPENVPN_ND_NEIGHBOR_SOLICIT:
+ case OPENVPN_ND_NEIGHBOR_ADVERT:
+ case OPENVPN_ND_INVERSE_SOLICIT:
+ case OPENVPN_ND_INVERSE_ADVERT:
+ return true;
+ }
+ return false;
+}
I think we should still drop tehse if they do not target the local
network. Otherwise you can just send all information hidden in these
packet types.
You mean dropping packets not a having link-local address as destination
(for unicasts)?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
