Date: Tue, 2 Sep 2025 21:10:50 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 67082c75f740 - main - pf: should be enforcing TTL=1 to packets sent to 224.0.0.1 only. Message-ID: <202509022110.582LAoFb036364@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=67082c75f740ac63d068f154ca0f88e71a3ca960 commit 67082c75f740ac63d068f154ca0f88e71a3ca960 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-08-12 15:22:30 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-09-02 21:10:19 +0000 pf: should be enforcing TTL=1 to packets sent to 224.0.0.1 only. Issue found and kindly reported by Luca Di Gregorio <lucdig _at_ gmail> OK bluhm@ Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 58feb3ffc6 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 9 ++++++--- tests/sys/netpfil/pf/igmp.py | 6 ++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 4325835c7671..a9d89afd58a1 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9997,9 +9997,12 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason) pd->proto = h->ip_p; /* IGMP packets have router alert options, allow them */ if (pd->proto == IPPROTO_IGMP) { - /* According to RFC 1112 ttl must be set to 1. */ - if ((h->ip_ttl != 1) || - !IN_MULTICAST(ntohl(h->ip_dst.s_addr))) { + /* + * According to RFC 1112 ttl must be set to 1 in all IGMP + * packets sent to 224.0.0.1 + */ + if ((h->ip_ttl != 1) && + (h->ip_dst.s_addr == INADDR_ALLHOSTS_GROUP)) { DPFPRINTF(PF_DEBUG_MISC, "Invalid IGMP"); REASON_SET(reason, PFRES_IPOPTIONS); return (PF_DROP); diff --git a/tests/sys/netpfil/pf/igmp.py b/tests/sys/netpfil/pf/igmp.py index b339a2825082..5d72a1c093a7 100644 --- a/tests/sys/netpfil/pf/igmp.py +++ b/tests/sys/netpfil/pf/igmp.py @@ -93,3 +93,9 @@ class TestIGMP(VnetTestTemplate): options=[sp.IPOption_Router_Alert()]) \ / sc.igmp.IGMP(type=0x11, mrcode=1) assert not self.find_igmp_reply(pkt, ifname) + + # Or with the wrong destination address + pkt = sp.IP(dst="224.0.0.2%%%s" % ifname, ttl=2, + options=[sp.IPOption_Router_Alert()]) \ + / sc.igmp.IGMP(type=0x11, mrcode=1) + assert not self.find_igmp_reply(pkt, ifname)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509022110.582LAoFb036364>