Hi!

I'm having problems setting up IPF rules (version 4.1.3,
NetBSD/i386 2.0) for Mobile IPv6. When my Mobile Node is
sending Binding Update to its Home Agent I'm getting this
on my logs:


Dec 29 13:48:07 fw ipmon[319]: 13:48:07.189320 wm5 @0:15 b
2001:xxxx:xxxx:xxxx:204:75ff:fed6:1743 -> 2001:xxxx:xxxx:xxxx::1 PR
ipv6-opts len 40 (96) OUT


The packet looks like this (captured with ethereal). After
IPv6 header there's one destination option followed by
protocol 135.


Internet Protocol Version 6
     Version: 6
     Traffic class: 0x00
     Flowlabel: 0x00000
     Payload length: 56
     Next header: IPv6 destination option (0x3c)
     Hop limit: 64
     Source address: 2001:xxxx:xxxx:xxxx:204:75ff:fed6:1743
     Destination address: 2001:xxxx:xxxx:xxxx::1
Destination Option Header
     Next header: Mobile IPv6 (0x87)
     Length: 2 (24 bytes)
     PadN: 4 bytes
     Option Type: 201 (0xc9) - Home Address Option
     Option Length : 16
     Home Address : 2001:xxxx:xxxx:xxxx::40
Mobile IPv6
     Payload protocol: IPv6 no next header (0x3b)
     Header length: 3 (32 bytes)
     Mobility Header Type: Binding Update (5)
     Reserved: 0x00
     Checksum: 0x4f67
     Binding Update
         Sequence number: 57751
         1... .... = Acknowledge (A) flag
         .1.. .... = Home Registration (H) flag
         ..0. .... = Link-Local Compatibility (L) flag
         ...0 .... = Key Management Compatibility (K) flag
         Lifetime: 12582 (50328 seconds)
     Mobility Options
         PadN: 2 bytes
         Alternate care-of address: 2001:xxxx:xxxx:xxxx:204:75ff:fed6:1743


Now the questions:

- how do I allow destination option followed by protocol 135?

- is it possible to allow destination option with only specific
   option types (padding and 0xC9 in this case)?

Inspired by the logs I've tried this (with and without keep
state) but without any luck:

pass out quick proto ipv6-opts from any to any

All ideas are welcome...

Martti