diff options
| author |   mcbride <mcbride@openbsd.org> | 2007-05-08 23:36:25 +0000 |
|---|---|---|
| committer | mcbride <mcbride@openbsd.org> | 2007-05-08 23:36:25 +0000 |
| commit | 4b5ee8770c9e47a9dd551e433e6f4d5e1e8dc0da (patch) | |
| tree | 9d9cf2553ffac543fb1660bac92cf27fc3374abd | |
| parent | Routing headers are dangerous. Deal with them the same way as IPv4 options: (diff) | |
| download | wireguard-openbsd-4b5ee8770c9e47a9dd551e433e6f4d5e1e8dc0da.tar.xz wireguard-openbsd-4b5ee8770c9e47a9dd551e433e6f4d5e1e8dc0da.zip | |
block ALL packets with rthdr0 in pf_test6(). We already do this
in ip6_input(), but pf_test6() is called from bridge code as well.
ok dhartmei@ henning@ deraadt@ claudio@
| -rw-r--r-- | sys/net/pf.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 079680a5a20..b57523c639d 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.528 2007/05/08 23:31:20 mcbride Exp $ */ +/* $OpenBSD: pf.c,v 1.529 2007/05/08 23:36:25 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6345,6 +6345,14 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, log = 1; goto done; } + if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: IPv6 rthdr0\n")); + action = PF_DROP; + REASON_SET(&reason, PFRES_IPOPTIONS); + log = 1; + goto done; + } /* FALLTHROUGH */ } case IPPROTO_AH: |