From ae77e2e2ad4a32ab6603e77a1d3d03b921a1549d Mon Sep 17 00:00:00 2001
From: Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org>
Date: Wed, 15 Nov 2006 06:28:34 +0000
Subject: reject multicast packet without scope identifier specified.

---
 etc/netstart | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/etc/netstart b/etc/netstart
index c9487f36ec9..9823cffcb49 100644
--- a/etc/netstart
+++ b/etc/netstart
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$OpenBSD: netstart,v 1.114 2006/06/29 17:23:28 todd Exp $
+#	$OpenBSD: netstart,v 1.115 2006/11/15 06:28:33 itojun Exp $
 
 # Strip comments (and leading/trailing whitespace if IFS is set)
 # from a file and spew to stdout
@@ -261,6 +261,10 @@ if ifconfig lo0 inet6 >/dev/null 2>&1; then
 	route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null
 	route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null
 
+	# Disallow packets without scope identifier.
+	route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject > /dev/null
+	route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject > /dev/null
+
 	# Completely disallow packets to IPv4 compatible prefix.
 	# This may conflict with RFC1933 under following circumstances:
 	# (1) An IPv6-only KAME node tries to originate packets to IPv4
-- 
cgit v1.2.3