From 9e635fbf8ac834c0adb363f89719810da1594832 Mon Sep 17 00:00:00 2001
From: Alexander Bluhm <bluhm@cvs.openbsd.org>
Date: Fri, 15 Nov 2013 16:15:43 +0000
Subject: After discussion with deraadt@ and Fernando Gont, it seems that the
 stack should still scan for IPv6 type 0 routing headers.  There are OpenBSD
 routers running without pf and there are plenty of legacy implementations
 supporting RH0.

Bring back the function ip6_check_rh0hdr() that I removed a month
ago.  As an improvement to the prevoius solution, only scan the
header chain in ip6_input() if the packet has not been inspected
by pf.  Both implementations drop packets with RH0 anywhere in the
extension header chain.

OK mikeb@ henning@
---
 sys/net/pf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'sys/net')

diff --git a/sys/net/pf.c b/sys/net/pf.c
index bf060a789d0..63683e92cda 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.858 2013/11/15 10:18:26 haesbaert Exp $ */
+/*	$OpenBSD: pf.c,v 1.859 2013/11/15 16:15:41 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -6490,6 +6490,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
 		}
 	}
 	pd.eh = eh;
+	pd.m->m_pkthdr.pf.flags |= PF_TAG_PROCESSED;
 
 	switch (pd.virtual_proto) {
 
-- 
cgit v1.2.3