From nobody Thu Jun 26 13:11:43 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bSfGS3MGNz60Y55;
	Thu, 26 Jun 2025 13:11:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bSfGS00slz3J6P;
	Thu, 26 Jun 2025 13:11:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1750943504;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zkntgcxHBIpy4jtlKodIhn89Ugk3rQocod5QtiL4miI=;
	b=XCvV+XsIGeSYZXjUX3zULSaBYy0ugMZM++184GCBIuoZLfQ/2la+0EN5vQYxn2jbpsvbDI
	jpC7KlvP/Ci8Rl8mv0SLysuhN/rIN5pAha8gPKu6D1QUfbo5LhieZRgW7kMkfVroeFCWGx
	qCd+UogUEdOF2U6ZhrykzyAnuf73FslQ5jvKvdFOW6Xq35/6KuSCzvKnoAvwibBOnTLQ9B
	IdOpkLrGnyjhkPOBInuyGa01WjUiMNSgdotdzCL7rUNLAxOKeUSNUsW2GGHsOl6nq++bOF
	yGXfqP6uU/KaMXVnevL/bMjR47/+vICv2u+NeXHqKq91DosoT3G5lPc6g6uxpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1750943504;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zkntgcxHBIpy4jtlKodIhn89Ugk3rQocod5QtiL4miI=;
	b=K/ruWdCfYrHw9/IxYK1tK86yj1ebUSZ2H5vu846eNK2ud8a64b1+sCKj7tM+BRokoJlUQc
	MI+JzK8Ld5aHyokFn6oEg/w8yICguP65Xf1MBCVOni72bTFO93fcQgwPBEP3A7BMdc0bh8
	HIEfwJE0nogcHVtNPmgQvJYnwDD72dp+ELb0PQgCVzDeA8yVo0t4f6GneV7bcNZpgUrzGn
	kqlxpzmuQTFkcoLRPAr3l3IoBz/qYWMz3S8bboBnHV060XPQw4LFM9m11gYgPJVoM+V5sa
	QN8hHGVEHje2h2RASeEHeLA3ItzhNk7GfaDhtBlUmaVVCSBXxfPUL5h5YrDyWA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750943504; a=rsa-sha256; cv=none;
	b=u8m6Fhp9T7gFebtXLKzzB9rDx1x+iWdC7g4g92swAQwIQWyJ6LORr159TK7W/YIW+gNSaz
	4+COQPXwKaV4ZRpFl1TAu3grK39fv8RTx8cUAW/B/3nP6tviEfskRtds7F+DMDmPu8xhV8
	QnEBibY4CGUQyUtjFm6v2XC9DrGWbN6Nqdqjz0hiJQB62isilNteA4XT+BZji19FRsI3wy
	DwU1MlmxkIaYXSeW1CLc11Xy7SXAJsUOoaRJ4dGnCB5A4h2WVqTkT9X2a7c/i5oFsQ++g4
	I8OziK4hs8yy6NN4wRAhOJPrv5FTAV9wV6E//9Y90DimeqqBUYO6e4XAz4sZkg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bSfGR4hmCz14JN;
	Thu, 26 Jun 2025 13:11:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55QDBhMm022539;
	Thu, 26 Jun 2025 13:11:43 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55QDBhdh022536;
	Thu, 26 Jun 2025 13:11:43 GMT
	(envelope-from git)
Date: Thu, 26 Jun 2025 13:11:43 GMT
Message-Id: <202506261311.55QDBhdh022536@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 9ab84b78caaf - main - pf: disallow IPv6 routing header
  by default
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 9ab84b78caaf1e167f99139965520ccf7752461b
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=9ab84b78caaf1e167f99139965520ccf7752461b

commit 9ab84b78caaf1e167f99139965520ccf7752461b
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-06-19 09:56:10 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-06-26 13:11:00 +0000

    pf: disallow IPv6 routing header by default
    
    pf drops IPv4 packets with any options by default.  For IPv6 the
    same is already done for options header.  Add the routing extension
    header to the list that need "allow-opts" to pass.
    OK sashan@ visa@
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, bfcbb272c6
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 25525092efdb..521969001f92 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9829,9 +9829,11 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
 	pd->proto = h->ip6_nxt;
 	for (hdr_cnt = 0; hdr_cnt < PF_HDR_LIMIT; hdr_cnt++) {
 		switch (pd->proto) {
+		case IPPROTO_ROUTING:
 		case IPPROTO_HOPOPTS:
 		case IPPROTO_DSTOPTS:
 			pd->badopts++;
+			break;
 		}
 		switch (pd->proto) {
 		case IPPROTO_FRAGMENT: