git: a62c14538100 - main - pf: drop neighbor discovery packets with the wrong hop limit
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 26 Jun 2025 13:11:42 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=a62c145381001b830cdd1e4781ecb5462c880d77
commit a62c145381001b830cdd1e4781ecb5462c880d77
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-06-18 16:28:57 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-06-26 13:11:00 +0000
pf: drop neighbor discovery packets with the wrong hop limit
RFC 4861 requires that all neighbor discovery packets have 255 in
their IPv6 header hop limit field. Let pf drop neighbor solicitation,
neighbor advertisement, router solicitation, router advertisement,
and redirect ICMP6 packets that do not comply. This enforces that
bogus packets cannot be routed when pf is enabled.
OK mpi@ sashan@ benno@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 441055dec2
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index c162b3dd8b3c..25525092efdb 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -10220,6 +10220,14 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
case ND_NEIGHBOR_SOLICIT:
case ND_NEIGHBOR_ADVERT:
icmp_hlen = sizeof(struct nd_neighbor_solicit);
+ /* FALLTHROUGH */
+ case ND_ROUTER_SOLICIT:
+ case ND_ROUTER_ADVERT:
+ case ND_REDIRECT:
+ if (pd->ttl != 255) {
+ REASON_SET(reason, PFRES_NORM);
+ return (PF_DROP);
+ }
break;
}
if (icmp_hlen > sizeof(struct icmp6_hdr) &&