Steven M. Bellovin wrote:

>>It appears someone decided to remove the code which invokes pfil_hooks
>>on forwarded IPv6 packets for the NetBSD 1.5 branch, leading to it not
>>being possible to filter them.  Thanks releng-1-5, you're my heroes.
> 

> Do you have a patch for 1.5.x to reinstall it?  Or should I just turn 
> off v6?

Since nothing in the standard 1.5 branch used the IPv6 packets that were 
offered to pfil functions after Darren's change, a user/sys admin would 
be hard pressed to notice the difference.  Claiming they introduced a 
"security hole" may have been excessive.

This change, in _combination_ with changes to (or an upgrade of) 
ipfilter, would allow ipfilter on the 1.5 branch to filter IPv6 packets, 
but by itself it does not.

Mike.