Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
41424344454647484950
4.3.3 IPv6 Extension Headers
You can block or pass packets according to IPv6 extension headers. A simplified rule syntax is
as follows
block|pass in|out [processing_options] [proto protocol] ip_selector
with v6hdrs ipv6_header
where:
processing_options is one or more processing options, such as quick. See “Processing
Options: Logging Packets, Optimizing Rule Processing, and Specifying Interfaces” (page 31) for
more information.
ip_selector is the IP address specification using the keyword all, or the from and to
keywords and IPv6 addresses and optional ports. See “Basic Rule Syntax: Specifying the Action,
Direction, Protocol, IP Addresses, and Ports” (page 28) for more information.
protocol is the protocol name or number. See “Basic Rule Syntax: Specifying the Action,
Direction, Protocol, IP Addresses, and Ports” (page 28) for more information.
ipv6_header is a series of one of the following IPv6 header extension types, separated by
commas (,):
dstopts (Destination options header)
hopopts (Hop-by-hop options header)
mobility (Mobile IPv6 Mobility header)
routing (Routing options header)
ah (IPsec Authentication Header)
esp (IPSec Encapsulating Security Payload)
ipv6 (IPv6 tunneled packets)
For example, to block all TCP packets with a Routing options header, use the following rule:
block in proto tcp from any to any with v6hdrs routing
To block all UDP packets with destination option and mobility headers, use the following rule:
block in proto udp from any to any with v6hdrs dstopts,mobility
NOTE: Extension headers are matched explicitly. A packet with only a destination option
header will not match the previous rule. Only packets with both mobility and destination option
headers will match the rule.
4.3.4 Filtering Tunneled Packets
HP-UX IPFilter can filter the following types of tunnel packets:
6-in-4
Use the following rule to filter 6-in-4 tunnel packets:
block in proto 41 from any to any
6-in-6
Use the following rule to filter 6-in-6 tunnel packets:
block in proto 41 from any to any
4-in-6
Use the following rule to filter 4-in-6 tunnel packets:
block in proto ip from any to any
4.3 IPv6 Filter Rule Syntax Differences 47