Page MenuHomeFreeBSD
Files F132950156

D50662.id.diff
No OneTemporary
Actions

D50662.id.diff
View Options

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd May 26, 2025
+.Dd May 27, 2025
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -2147,20 +2147,21 @@
pass all tos 16
.Ed
.It Ar allow-opts
-By default, IPv4 packets with IP options or IPv6 packets with routing
-extension headers are blocked.
+By default, packets with IPv4 options or IPv6 hop-by-hop or destination
+options header are blocked.
When
.Ar allow-opts
is specified for a
.Ar pass
rule, packets that pass the filter based on that rule (last matching)
-do so even if they contain IP options or routing extension headers.
+do so even if they contain options.
For packets that match state, the rule that initially created the
state is used.
The implicit
.Ar pass
-rule that is used when a packet does not match any rules does not
-allow IP options.
+rule, that is used when a packet does not match
+any rules, does not allow IP options or option headers.
+Note that IPv6 packets with type 0 routing headers are always dropped.
.It Ar label Aq Ar string
Adds a label (name) to the rule, which can be used to identify the rule.
For instance,
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9707,6 +9707,8 @@
REASON_SET(reason, PFRES_SHORT);
return (PF_DROP);
}
+ if (hlen != sizeof(struct ip))
+ pd->badopts++;
end = pd->off + ntohs(h->ip_len);
pd->off += hlen;
pd->proto = h->ip_p;
@@ -9814,6 +9816,11 @@
pd->fragoff = pd->extoff = pd->jumbolen = 0;
pd->proto = h->ip6_nxt;
for (hdr_cnt = 0; hdr_cnt < PF_HDR_LIMIT; hdr_cnt++) {
+ switch (pd->proto) {
+ case IPPROTO_HOPOPTS:
+ case IPPROTO_DSTOPTS:
+ pd->badopts++;
+ }
switch (pd->proto) {
case IPPROTO_FRAGMENT:
if (fraghdr_cnt++) {
@@ -10007,10 +10014,6 @@
pd->tot_len = ntohs(h->ip_len);
pd->act.rtableid = -1;
pd->df = h->ip_off & htons(IP_DF);
-
- if (h->ip_hl > 5) /* has options */
- pd->badopts++;
-
pd->virtual_proto = (h->ip_off & htons(IP_MF | IP_OFFMASK)) ?
PF_VPROTO_FRAGMENT : pd->proto;

File Metadata

Mime Type
text/plain
Expires
Wed, Oct 22, 11:03 AM (5 h, 59 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
24033031
Default Alt Text
D50662.id.diff (2 KB)

Event Timeline