We want to filter IPv6 extension headers on FWSM (4.1.x) and we discovered that filtering does not works at all. For example to filter destination options we used the following IPv6 ACE:
ipv6 access-list OUTSIDE6_IN deny 60 any any
Then packets are sent using extended IPv6 ping from IOS router and FWSM ignores above ACE and forwards the packet to the destination. The same thing happens when using Scapy as packet generator.
The packet is good because it matches IOS IPv6 ACL Destination options ACE.
I didn't checked but my colleague reported me the same issue with filtering Hop-by-hop option on FWSM.
So, is something wrong with the procedure or this is about new bug?