On Mon, Dec 04, 2017 at 02:55:16PM +0100, Alexander Bluhm wrote:
> RFC 4861 requires that all neighbor discovery packets have 255 in
> their IPv6 header hop limit field. Let pf drop neighbor solicitation,
> neighbor advertisement, router solicitation, router advertisement,
> and redirect ICMP6 packets that do not comply. This enforces that
> bogus packets cannot be routed when pf is enabled.
>
> ok?
Wouldn't this be a duplicate of "if (ip6->ip6_hlim != 255)" checks done
in sys/netinet6/{icmp6,nd6_nbr,nd6_rtr}.c ?
Kind regards,
Job
