On Mon, Dec 04, 2017 at 08:23:26PM +0000, Job Snijders wrote:
> On Mon, Dec 04, 2017 at 02:55:16PM +0100, Alexander Bluhm wrote:
> > RFC 4861 requires that all neighbor discovery packets have 255 in
> > their IPv6 header hop limit field. Let pf drop neighbor solicitation,
> > neighbor advertisement, router solicitation, router advertisement,
> > and redirect ICMP6 packets that do not comply. This enforces that
> > bogus packets cannot be routed when pf is enabled.
> >
> > ok?
>
> Wouldn't this be a duplicate of "if (ip6->ip6_hlim != 255)" checks done
> in sys/netinet6/{icmp6,nd6_nbr,nd6_rtr}.c ?
These checks are never done for forwarded packets. They protect
our own stack. pf is there to protect the network behind the
firewall.
bluhm
