pf(4) should be enforcing TTL=1 to packets sent to 224.0.0.1 only.

author sashan <sashan@openbsd.org>

Sat, 4 Mar 2023 10:55:37 +0000 (10:55 +0000)

committer sashan <sashan@openbsd.org>

Sat, 4 Mar 2023 10:55:37 +0000 (10:55 +0000)
author sashan <sashan@openbsd.org>
Sat, 4 Mar 2023 10:55:37 +0000 (10:55 +0000)
committer sashan <sashan@openbsd.org>
Sat, 4 Mar 2023 10:55:37 +0000 (10:55 +0000)
diff --git a/sys/net/pf.c b/sys/net/pf.c

index 8cb1326..a1a334f 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1171 2023/01/22 23:05:51 yasuoka Exp $ */
+/*     $OpenBSD: pf.c,v 1.1172 2023/03/04 10:55:37 sashan Exp $ */
  
  /*
   * Copyright (c) 2001 Daniel Hartmeier
@@ -6846,8 +6846,12 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
         pd->proto = h->ip_p;
         /* IGMP packets have router alert options, allow them */
         if (pd->proto == IPPROTO_IGMP) {
-               /* According to RFC 1112 ttl must be set to 1. */
-               if ((h->ip_ttl != 1) || !IN_MULTICAST(h->ip_dst.s_addr)) {
+               /*
+                * According to RFC 1112 ttl must be set to 1 in all IGMP
+                * packets sent to 224.0.0.1
+                */
+               if ((h->ip_ttl != 1) &&
+                   (h->ip_dst.s_addr == INADDR_ALLHOSTS_GROUP)) {
                         DPFPRINTF(LOG_NOTICE, "Invalid IGMP");
                         REASON_SET(reason, PFRES_IPOPTIONS);
                         return (PF_DROP);
author	sashan <sashan@openbsd.org>
	Sat, 4 Mar 2023 10:55:37 +0000 (10:55 +0000)
committer	sashan <sashan@openbsd.org>
	Sat, 4 Mar 2023 10:55:37 +0000 (10:55 +0000)