lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 16 Jan 2009 00:48:40 -0500
Subject: Re: Sending complete IPv6 packets without bypassing netfilter/IPsec

thanks for taking the time to answer. I thought about this, but was 
discouraged by the following passage in RFC 3542:

   Most IPv4 implementations give special treatment to a raw socket
   created with a third argument to socket() of IPPROTO_RAW, whose value
   is normally 255, to have it mean that the application will send down
   complete packets including the IPv4 header.  (Note: This feature was
   added to IPv4 in 1988 by Van Jacobson to support traceroute, allowing
   a complete IP header to be passed by the application, before the
   IP_HDRINCL socket option was added.)  We note that IPPROTO_RAW has no
   special meaning to an IPv6 raw socket (and the IANA currently
   reserves the value of 255 when used as a next-header field).

So, if you write "should have the same effect as IP_HDRINCL" does this 
mean "this is the way we designed it in Linux, so it should work" or 
"give it a try, I think it might work". The first one would make me try 
harder than the second one. If it does in fact work, than this should 
be documented more prominently somewhere. I did a long and IMHO 
thorough Google search and found no mention of this.

Thanks and kind reagrds

-----Original Message-----
From: Herbert Xu <>
Sent: Fri, 16 Jan 2009 12:54 am
Subject: Re: Sending complete IPv6 packets without bypassing 
netfilter/IPsec wrote:
> the IPv4 socket interface had the nifty IP_HDRINCL option. It seems
> that an IPv6 version of this option is not available. The proposed
> solution for this seems to be to use libpcap to inject the packet.
> Unfortunately this completely bypasses both, netfilter and IPsec. So,
> am I lost or is there a way to do what I want/need?


should have the same effect as IP_HDRINCL.

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <>
Home Page:
PGP Key:

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists