The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9ab84b78caaf1e167f99139965520ccf7752461b
commit 9ab84b78caaf1e167f99139965520ccf7752461b
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-06-19 09:56:10 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-06-26 13:11:00 +0000
pf: disallow IPv6 routing header by default
pf drops IPv4 packets with any options by default. For IPv6 the
same is already done for options header. Add the routing extension
header to the list that need "allow-opts" to pass.
OK sashan@ visa@
Obtained from: OpenBSD, bluhm <bl...@openbsd.org>, bfcbb272c6
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 25525092efdb..521969001f92 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9829,9 +9829,11 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h,
u_short *reason)
pd->proto = h->ip6_nxt;
for (hdr_cnt = 0; hdr_cnt < PF_HDR_LIMIT; hdr_cnt++) {
switch (pd->proto) {
+ case IPPROTO_ROUTING:
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
pd->badopts++;
+ break;
}
switch (pd->proto) {
case IPPROTO_FRAGMENT:
