On Jun 12, 2013, at 6:07 PM, [email protected] wrote:
>>> However, anything that says "if the chain is >X, then drop" is broken,
>>> period.
>>
>> FWIW, I don't think anyone has proposed "if the chain is larger than X,
>> then drop".
>
> On the other hand - I, as an operator, may well decide to drop such
> packets.
And, presumably, you as an operator are likely to also have something like:
filter AllowExpected {
term web {
from {
destination-address {
2001:db8::100/128;
}
next-header tcp;
destination-port [ http https ];
}
then accept;
}
term example {
from {
destination-address {
2001:db8::123/128;
}
next-header udp;
destination-port 17;
}
then accept;
}
term default {
then {
count default-deny;
discard;
}
}
}
If the router cannot see the L4 header (because it has not sucked enough bytes
up to the filtering widget) you'd expect it to hit the "default" term, I
presume (I sure would!)
This has accomplishes the same thing (unless you've decided to choose a smaller
number than the filtering logic supports).
W
BTW: Who added every basically single IETF list to this thread?
>
> Steinar Haug, AS 2116
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> [email protected]
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
--
After you'd known Christine for any length of time, you found yourself fighting
a desire to look into her ear to see if you could spot daylight coming the
other way.
-- (Terry Pratchett, Maskerade)
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
