Date: Thu, 26 Jun 2025 13:11:43 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 9ab84b78caaf - main - pf: disallow IPv6 routing header by default Message-ID: <202506261311.55QDBhdh022536@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9ab84b78caaf1e167f99139965520ccf7752461b commit 9ab84b78caaf1e167f99139965520ccf7752461b Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-06-19 09:56:10 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-06-26 13:11:00 +0000 pf: disallow IPv6 routing header by default pf drops IPv4 packets with any options by default. For IPv6 the same is already done for options header. Add the routing extension header to the list that need "allow-opts" to pass. OK sashan@ visa@ Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, bfcbb272c6 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 25525092efdb..521969001f92 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9829,9 +9829,11 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) pd->proto = h->ip6_nxt; for (hdr_cnt = 0; hdr_cnt < PF_HDR_LIMIT; hdr_cnt++) { switch (pd->proto) { + case IPPROTO_ROUTING: case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: pd->badopts++; + break; } switch (pd->proto) { case IPPROTO_FRAGMENT:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202506261311.55QDBhdh022536>