summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2011-07-04 16:26:24 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2011-07-04 16:26:24 +0000
commiteabb2574d0e01f431aedde0ab6318074d7fab528 (patch)
tree9cfe73473b1f0d9f9ca9ef17e491e17d43b199d5 /sys
parent051f2f7b4d53bb28a62731d9dec2cfdb8c6e9321 (diff)
IPv4 packets with IP options get dropped and no state is created.
IPv6 packets with routing headers get also dropped. Use the same fix for them to avoid that a state is created. ok claudio@
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf.c18
1 files changed, 7 insertions, 11 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 235e6a586d4..b03bf565194 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.757 2011/07/04 06:54:49 claudio Exp $ */
+/* $OpenBSD: pf.c,v 1.758 2011/07/04 16:26:23 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -2997,16 +2997,12 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
rtable_l2(act.rtableid) != pd->rdomain)
pd->destchg = 1;
- if (r->action == PF_PASS && af == AF_INET && ! r->allow_opts) {
- struct ip *h4 = mtod(m, struct ip *);
-
- if (h4->ip_hl > 5) {
- REASON_SET(&reason, PFRES_IPOPTIONS);
- pd->pflog |= PF_LOG_FORCE;
- DPFPRINTF(LOG_NOTICE, "dropping packet with "
- "ip options in pf_test_rule()");
- goto cleanup;
- }
+ if (r->action == PF_PASS && pd->rh_cnt && ! r->allow_opts) {
+ REASON_SET(&reason, PFRES_IPOPTIONS);
+ pd->pflog |= PF_LOG_FORCE;
+ DPFPRINTF(LOG_NOTICE, "dropping packet with "
+ "ip/ipv6 options in pf_test_rule()");
+ goto cleanup;
}
if (!state_icmp && r->keep_state) {