Alexander Bluhm([email protected]) on 2017.12.04 14:55:16 +0100:
> Hi,
>
> RFC 4861 requires that all neighbor discovery packets have 255 in
> their IPv6 header hop limit field. Let pf drop neighbor solicitation,
> neighbor advertisement, router solicitation, router advertisement,
> and redirect ICMP6 packets that do not comply. This enforces that
> bogus packets cannot be routed when pf is enabled.
>
> ok?
ok benno@
we also check this in relevant spots in netinet6/ as far as i can see.
> bluhm
>
> Index: net/pf.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
> retrieving revision 1.1049
> diff -u -p -r1.1049 pf.c
> --- net/pf.c 1 Dec 2017 10:33:33 -0000 1.1049
> +++ net/pf.c 4 Dec 2017 13:53:21 -0000
> @@ -6602,6 +6602,14 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_f
> case ND_NEIGHBOR_SOLICIT:
> case ND_NEIGHBOR_ADVERT:
> icmp_hlen = sizeof(struct nd_neighbor_solicit);
> + /* FALLTHROUGH */
> + case ND_ROUTER_SOLICIT:
> + case ND_ROUTER_ADVERT:
> + case ND_REDIRECT:
> + if (pd->ttl != 255) {
> + REASON_SET(reason, PFRES_NORM);
> + return (PF_DROP);
> + }
> break;
> }
> if (icmp_hlen > sizeof(struct icmp6_hdr) &&
>
