diff options
| author | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2023-03-04 10:55:38 +0000 |
|---|---|---|
| committer | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2023-03-04 10:55:38 +0000 |
| commit | 69cd704904c0e97dd09b1e6955bed789b87a512f (patch) | |
| tree | 7baacaf53a8addfe6b667e3bba70d0bd923bbcdc /sys | |
| parent | 449ea36ae88cd4859cb4f3efdd16dbcde60ecd08 (diff) | |
pf(4) should be enforcing TTL=1 to packets sent to 224.0.0.1 only.
Issue found and kindly reported by Luca Di Gregorio <lucdig _at_ gmail>
OK bluhm@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pf.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 8cb1326a160..a1a334ffb1c 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1171 2023/01/22 23:05:51 yasuoka Exp $ */ +/* $OpenBSD: pf.c,v 1.1172 2023/03/04 10:55:37 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6846,8 +6846,12 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason) pd->proto = h->ip_p; /* IGMP packets have router alert options, allow them */ if (pd->proto == IPPROTO_IGMP) { - /* According to RFC 1112 ttl must be set to 1. */ - if ((h->ip_ttl != 1) || !IN_MULTICAST(h->ip_dst.s_addr)) { + /* + * According to RFC 1112 ttl must be set to 1 in all IGMP + * packets sent to 224.0.0.1 + */ + if ((h->ip_ttl != 1) && + (h->ip_dst.s_addr == INADDR_ALLHOSTS_GROUP)) { DPFPRINTF(LOG_NOTICE, "Invalid IGMP"); REASON_SET(reason, PFRES_IPOPTIONS); return (PF_DROP); |