RFC 4861 requires that all neighbor discovery packets have 255 in

their IPv6 header hop limit field.  Let pf drop neighbor solicitation,
neighbor advertisement, router solicitation, router advertisement,
and redirect ICMP6 packets that do not comply.  This enforces that
bogus packets cannot be routed when pf is enabled.
OK mpi@ sashan@ benno@

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 20e0e1f..9edbe0f 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1049 2017/12/01 10:33:33 bluhm Exp $ */
+/*     $OpenBSD: pf.c,v 1.1050 2017/12/04 15:13:12 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -6602,6 +6602,14 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir,
                case ND_NEIGHBOR_SOLICIT:
                case ND_NEIGHBOR_ADVERT:
                        icmp_hlen = sizeof(struct nd_neighbor_solicit);
+                       /* FALLTHROUGH */
+               case ND_ROUTER_SOLICIT:
+               case ND_ROUTER_ADVERT:
+               case ND_REDIRECT:
+                       if (pd->ttl != 255) {
+                               REASON_SET(reason, PFRES_NORM);
+                               return (PF_DROP);
+                       }
                        break;
                }
                if (icmp_hlen > sizeof(struct icmp6_hdr) &&