From 0dfd206b91ac9280864bce3f710978b93bafc300 Mon Sep 17 00:00:00 2001 From: Ryan Thomas McBride Date: Tue, 8 May 2007 23:36:26 +0000 Subject: block ALL packets with rthdr0 in pf_test6(). We already do this in ip6_input(), but pf_test6() is called from bridge code as well. ok dhartmei@ henning@ deraadt@ claudio@ --- sys/net/pf.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'sys/net/pf.c') diff --git a/sys/net/pf.c b/sys/net/pf.c index 079680a5a20..b57523c639d 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.528 2007/05/08 23:31:20 mcbride Exp $ */ +/* $OpenBSD: pf.c,v 1.529 2007/05/08 23:36:25 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6345,6 +6345,14 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, log = 1; goto done; } + if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: IPv6 rthdr0\n")); + action = PF_DROP; + REASON_SET(&reason, PFRES_IPOPTIONS); + log = 1; + goto done; + } /* FALLTHROUGH */ } case IPPROTO_AH: -- cgit v1.2.3