Which MIPv6 implementation are you running, and are you using KAME
patches in the kernel?

  - how do I allow destination option followed by protocol 135?

  - is it possible to allow destination option with only specific
     option types (padding and 0xC9 in this case)?

A cursory look through netinet/fil.c indicates there isn't any support
for what you want.  It's likely you are on the bleeding edge, and that
ipf needs to be extended for MIPv6.

One path would be to allow expressing fairly arbitrary combinations of
headers, such as you suggest.  Another would be (somehow) to enable
some sort of Mobile IP processing that would, for filtering purposes,
treat destination options with only home address as not present, so
that one's normal firewall rules would apply while mobile.  But, some
people will want to filter these, so that needs to be configurable.

-- 
        Greg Troxel <gdt@ir.bbn.com>