Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Pflang + IPv6 extension headers are currently a poor match #239
Pflang, as implemented by both pflua and libpcap, compiles pflang expressions to checks against fixed offsets, before looking at any packets. The consequence of their current implementations is that in the presence of IPv6 extension headers (aside from the special case of exactly one extension header, IPv6-frag), pflang expressions such as
In both libpcap and pflua, byte 20 (the IPv6 'next header') field is being checked against values 6 (TCP) and 0x2c (44, IPv6 fragment header).  If there is an IPv6 fragment header, byte 54 is then checked to see whether that header's "next header" field value is 6 (TCP).
If the next header is an IPv6 extension header other than an IPv6 fragment header, or there is more than one IPv6 extension header, the encapsulated protocol will not be matched by either pflang implementation.
This is a known shortcoming of libpcap, and is somewhat awkward to fix while targeting BPF; the tcpdump-workers bugtracker and mailing list have occasional discussions about how to address it.
 The values are enumerated at http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml