diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2007-05-08 23:36:26 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2007-05-08 23:36:26 +0000 |
| commit | 0dfd206b91ac9280864bce3f710978b93bafc300 (patch) | |
| tree | ea6cddee4cff03e1afead280e87148b6913e0b24 /sys/net/pf.c | |
| parent | 55a9fbab6a6e9ed806ee5d8b1a6670ae3a9b109a (diff) | |
block ALL packets with rthdr0 in pf_test6(). We already do this
in ip6_input(), but pf_test6() is called from bridge code as well.
ok dhartmei@ henning@ deraadt@ claudio@
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 079680a5a20..b57523c639d 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.528 2007/05/08 23:31:20 mcbride Exp $ */ +/* $OpenBSD: pf.c,v 1.529 2007/05/08 23:36:25 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6345,6 +6345,14 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, log = 1; goto done; } + if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: IPv6 rthdr0\n")); + action = PF_DROP; + REASON_SET(&reason, PFRES_IPOPTIONS); + log = 1; + goto done; + } /* FALLTHROUGH */ } case IPPROTO_AH: |