From nobody Thu Jun 26 13:11:42 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bSfGR0tVKz60Y4m;
	Thu, 26 Jun 2025 13:11:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bSfGQ4PmWz3J1s;
	Thu, 26 Jun 2025 13:11:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1750943502;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EIGwYszdr57U4w0o63ahmpDTuO8fp5OTfgrm2UYRFnw=;
	b=RnJbMWTcWr2PuMKDo61hLTVefCzsU0MYixnGQx5VmwO1YI+JfR5clFaiPQuqnqn4Obu1gg
	qf0bovbB1l46RENgBVxWfhp5BBJ89d7x8fh7F7me8oZelIaJXLkXYgsZHGHREXZNBmrhgR
	MB8EGsmbTmaFj8Vv/0UQFCN7O1qWsPW4CKAwLTnXn/CNy8vZWrYbLoGMosEBJOdEBi4ulR
	IkQGdr8HFB4+O7o+kUhbjT4T4jZiUKivAnxhgnhPjfRtMCBLid36IaUnaQc0P6lJjeg8AY
	AkiNzEREkdCdV0Wuhy6SrJBqwTIAMbDB/jMViMEQ//9xzD+96Yl9S6TnZ5axcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1750943502;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EIGwYszdr57U4w0o63ahmpDTuO8fp5OTfgrm2UYRFnw=;
	b=oQFdkEDF2jTGGf8avszztRID4I5YAU8G7OMik66raP5As+CDpqCTvMdNVIHBTpknR7MA7Y
	TS/60Ap0OP+W6gISrjmUNKA+EnVknFcKpzl3444H3V6RbfI1TlgxiDE/ZnBnVujdLFBD3F
	t1CSyfRk+ru7AhtwRKZEzd9VaiXJB2Ba8Vp/WZvseiEuTmSRSt9bkrdMg5i4szmuIGJ/7W
	MRPF4/luTBrSnHqRHqt8ll78QAJt9A/1fhbcm7MsHmfLbxWLx6noUR9Qfz4V4ojyJiA6tr
	Ux47VPdgARtVmlPgsIl3pKdPG8LyFlE4xP3ycLcsYh/4giJ22LWLHkjhIe9xBA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750943502; a=rsa-sha256; cv=none;
	b=bqtdTeyD+KnIHwBeLesUmODjR9YGn+B29qnaphe0McnKcHC1Mw07hdRfphZTEWSHzxNOYq
	nVVl11RxVmxBK71oxZAELTQ/t1veWGsbTCWOb3QTeHMBV6NmkAdyC52O7SSqH+HxIQNPC0
	b/7LA11hhFP1O68M+VwbugJDtfsabn7ET018ywL/227z+a38SLekr1zFBCQbyuFFDnQrFN
	oIJlZprYc5+gIDGWbZ3WtXBCNdDartDy/6ZeVLjq5nGX4EexUXGm4t0U3n4x2N6BfbUKUr
	vnIIAbr6GfalowlQdMydm26t98feHEoxGqe/s9y3i6igI22dL1q2bmkPhFHp7g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bSfGQ3jt7z14JM;
	Thu, 26 Jun 2025 13:11:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55QDBgJw022506;
	Thu, 26 Jun 2025 13:11:42 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55QDBgDI022503;
	Thu, 26 Jun 2025 13:11:42 GMT
	(envelope-from git)
Date: Thu, 26 Jun 2025 13:11:42 GMT
Message-Id: <202506261311.55QDBgDI022503@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: a62c14538100 - main - pf: drop neighbor discovery
  packets with the wrong hop limit
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: a62c145381001b830cdd1e4781ecb5462c880d77
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=a62c145381001b830cdd1e4781ecb5462c880d77

commit a62c145381001b830cdd1e4781ecb5462c880d77
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-06-18 16:28:57 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-06-26 13:11:00 +0000

    pf: drop neighbor discovery packets with the wrong hop limit
    
    RFC 4861 requires that all neighbor discovery packets have 255 in
    their IPv6 header hop limit field.  Let pf drop neighbor solicitation,
    neighbor advertisement, router solicitation, router advertisement,
    and redirect ICMP6 packets that do not comply.  This enforces that
    bogus packets cannot be routed when pf is enabled.
    OK mpi@ sashan@ benno@
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, 441055dec2
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index c162b3dd8b3c..25525092efdb 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -10220,6 +10220,14 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
 		case ND_NEIGHBOR_SOLICIT:
 		case ND_NEIGHBOR_ADVERT:
 			icmp_hlen = sizeof(struct nd_neighbor_solicit);
+			/* FALLTHROUGH */
+		case ND_ROUTER_SOLICIT:
+		case ND_ROUTER_ADVERT:
+		case ND_REDIRECT:
+			if (pd->ttl != 255) {
+				REASON_SET(reason, PFRES_NORM);
+				return (PF_DROP);
+			}
 			break;
 		}
 		if (icmp_hlen > sizeof(struct icmp6_hdr) &&