pf drops IPv4 packets with any options by default. For IPv6 the

same is already done for options header.  Add the routing extension
header to the list that need "allow-opts" to pass.
OK sashan@ visa@

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 27a1f9e..274f960 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1051 2017/12/24 14:18:19 bluhm Exp $ */
+/*     $OpenBSD: pf.c,v 1.1052 2017/12/28 11:37:44 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -6326,9 +6326,11 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
 
        for (hdr_cnt = 0; hdr_cnt < pf_hdr_limit; hdr_cnt++) {
                switch (pd->proto) {
+               case IPPROTO_ROUTING:
                case IPPROTO_HOPOPTS:
                case IPPROTO_DSTOPTS:
                        pd->badopts++;
+                       break;
                }
                switch (pd->proto) {
                case IPPROTO_FRAGMENT: