Hello,
Looks like time has come to tweak a tuning knob from paranoia
towards 'get network working'
I have just few nits, see below.
thanks and
regards
sashan
</snip>
>
> int
> +pf_walk_option(struct pf_pdesc *pd, struct ip *h, int off, int end,
> + u_short *reason)
> +{
> + uint8_t type, length, opts[15 * 4 - sizeof(struct ip)];
> +
> + KASSERT(end - off <= sizeof(opts));
> + m_copydata(pd->m, off, end - off, opts);
> +
> + while (off < end) {
> + type = opts[off - sizeof(struct ip)];
would it be possible to do 'off - sizeof (struct ip)' computation
outside of while loop? I think we can adjust both `off` and `end`:
off -= sizeof(struct ip);
len -= sizeof(struct ip);
just before we enter the while () loop.
</snip>
> pd->off += (ext.ip6e_len + 2) * 4;
> @@ -6607,9 +6659,23 @@ pf_walk_header6(struct pf_pdesc *pd, str
> pd->off += (ext.ip6e_len + 1) * 8;
> pd->proto = ext.ip6e_nxt;
> break;
> + case IPPROTO_ICMPV6:
> + if (!pf_pull_hdr(pd->m, pd->off, &icmp6, sizeof(icmp6),
> + NULL, reason, AF_INET6)) {
> + DPFPRINTF(LOG_NOTICE, "IPv6 short icmp6hdr");
> + return (PF_DROP);
> + }
> + /* ICMP multicast packets have router alert options */
> + switch (icmp6.icmp6_type) {
> + case MLD_LISTENER_QUERY:
> + case MLD_LISTENER_REPORT:
> + case MLD_LISTENER_DONE:
I wonder if we should have a similar check we have for IPv4 address,
where we require a multicast address. for example in case of
MLD_LISTENER_QUERY the packet destination address should be fe80::/10.
I need to look at RFCs more closely first. Just asking in case someone else
knows from top of the head.
