diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-12-04 15:13:13 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-12-04 15:13:13 +0000 |
| commit | 589c344b1584548f2648f374d910240bd1f5b420 (patch) | |
| tree | 2841c44360dcdb453d12632d645e5516b61e4af3 /sys/net | |
| parent | 26617bb9ce617d49bed128d475c65b853c597664 (diff) | |
RFC 4861 requires that all neighbor discovery packets have 255 in
their IPv6 header hop limit field. Let pf drop neighbor solicitation,
neighbor advertisement, router solicitation, router advertisement,
and redirect ICMP6 packets that do not comply. This enforces that
bogus packets cannot be routed when pf is enabled.
OK mpi@ sashan@ benno@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 20e0e1fc5e2..9edbe0f80e6 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1049 2017/12/01 10:33:33 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1050 2017/12/04 15:13:12 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6602,6 +6602,14 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir, case ND_NEIGHBOR_SOLICIT: case ND_NEIGHBOR_ADVERT: icmp_hlen = sizeof(struct nd_neighbor_solicit); + /* FALLTHROUGH */ + case ND_ROUTER_SOLICIT: + case ND_ROUTER_ADVERT: + case ND_REDIRECT: + if (pd->ttl != 255) { + REASON_SET(reason, PFRES_NORM); + return (PF_DROP); + } break; } if (icmp_hlen > sizeof(struct icmp6_hdr) && |