diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-07-04 16:26:24 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-07-04 16:26:24 +0000 |
| commit | eabb2574d0e01f431aedde0ab6318074d7fab528 (patch) | |
| tree | 9cfe73473b1f0d9f9ca9ef17e491e17d43b199d5 /sys/net | |
| parent | 051f2f7b4d53bb28a62731d9dec2cfdb8c6e9321 (diff) | |
IPv4 packets with IP options get dropped and no state is created.
IPv6 packets with routing headers get also dropped. Use the same
fix for them to avoid that a state is created.
ok claudio@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 18 |
1 files changed, 7 insertions, 11 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 235e6a586d4..b03bf565194 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.757 2011/07/04 06:54:49 claudio Exp $ */ +/* $OpenBSD: pf.c,v 1.758 2011/07/04 16:26:23 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2997,16 +2997,12 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, rtable_l2(act.rtableid) != pd->rdomain) pd->destchg = 1; - if (r->action == PF_PASS && af == AF_INET && ! r->allow_opts) { - struct ip *h4 = mtod(m, struct ip *); - - if (h4->ip_hl > 5) { - REASON_SET(&reason, PFRES_IPOPTIONS); - pd->pflog |= PF_LOG_FORCE; - DPFPRINTF(LOG_NOTICE, "dropping packet with " - "ip options in pf_test_rule()"); - goto cleanup; - } + if (r->action == PF_PASS && pd->rh_cnt && ! r->allow_opts) { + REASON_SET(&reason, PFRES_IPOPTIONS); + pd->pflog |= PF_LOG_FORCE; + DPFPRINTF(LOG_NOTICE, "dropping packet with " + "ip/ipv6 options in pf_test_rule()"); + goto cleanup; } if (!state_icmp && r->keep_state) { |