On Mon, 2009-08-03 at 21:54 -0400, James Carlson wrote: > >> ACCEPT the part regarding labeling, it looks like that won't work > >> indeed. I'll fix this code to skip any extension headers (not just > >> those associated with TX labels). > > > > Revising this: There's nothing to do here. The iptun module doesn't > > pass up anything like that. As with IPsec processing, label insertion > > and removal happens "below" the point where GLDv3 passes packets up to > > promiscuous clients. > > > > As the comment states, the only IPv6 packets we'll ever see from iptun > > are either without extension headers, or with a single destination > > options header containing an encapsulation limit. > > So, if a packet looks like this on the wire: > > <outer-IPv6><hop-by-hop><inner-IPv6><TCP> > > We'll actually see this in snoop? > > <outer-IPv6><inner-IPv6><TCP> > > That's not quite what I was expected. I didn't think it'd remove bytes > from the middle of the packet.
ACCEPT. There are some headers that will never get passed up to iptun. Fragmentation headers won't, obviously. The ip module does reassembly prior to passing payloads up. IPsec headers are another, and TX labels are another. You're correct regarding other random extension headers, though, snoop needs to expect that those could show up and the user-land filter needs to adjust its offsets to accommodate. -Seb
