Block IPv6 packets in pf(4) that have hop-by-hop options header or

destination options header.  Such packets can be passed by adding
"allow-opts" to the rule.  So IPv6 options are handled like their
counterpart in IPv4 now.
tested by benno@; OK henning@

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index d76129d..49b296a 100644 (file)
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: pf.conf.5,v 1.563 2017/05/22 19:15:29 jmc Exp $
+.\"    $OpenBSD: pf.conf.5,v 1.564 2017/05/31 09:19:10 bluhm Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org>
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 22 2017 $
+.Dd $Mdocdate: May 31 2017 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -462,18 +462,19 @@ This is equivalent to
 .Ql from any to any .
 .Pp
 .It Cm allow-opts
-By default, IPv4 packets with IP options or IPv6 packets with routing
-extension headers are blocked.
+By default, packets with IPv4 options or IPv6 hop-by-hop or destination
+options header are blocked.
 When
 .Cm allow-opts
 is specified for a
 .Ic pass
 rule, packets that pass the filter based on that rule (last matching)
-do so even if they contain IP options or routing extension headers.
+do so even if they contain options.
 For packets that match state, the rule that initially created the
 state is used.
-The implicit pass rule that is used when a packet does not match
-any rules does not allow IP options.
+The implicit pass rule, that is used when a packet does not match
+any rules, does not allow IP options or option headers.
+Note that IPv6 packets with type 0 routing headers are always dropped.
 .Pp
 .It Cm divert-packet port Ar port
 Used to send matching packets to

diff --git a/sys/net/pf.c b/sys/net/pf.c
index c2ec6b8..578b9a0 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1032 2017/05/30 08:10:01 henning Exp $ */
+/*     $OpenBSD: pf.c,v 1.1033 2017/05/31 09:19:10 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -6132,6 +6132,8 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
                REASON_SET(reason, PFRES_SHORT);
                return (PF_DROP);
        }
+       if (hlen != sizeof(struct ip))
+               pd->badopts++;
        end = pd->off + ntohs(h->ip_len);
        pd->off += hlen;
        pd->proto = h->ip_p;
@@ -6241,6 +6243,11 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
        pd->proto = h->ip6_nxt;
 
        for (hdr_cnt = 0; hdr_cnt < pf_hdr_limit; hdr_cnt++) {
+               switch (pd->proto) {
+               case IPPROTO_HOPOPTS:
+               case IPPROTO_DSTOPTS:
+                       pd->badopts++;
+               }
                switch (pd->proto) {
                case IPPROTO_FRAGMENT:
                        if (fraghdr_cnt++) {
@@ -6396,8 +6403,6 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir,
                pd->tot_len = ntohs(h->ip_len);
                pd->tos = h->ip_tos & ~IPTOS_ECN_MASK;
                pd->ttl = h->ip_ttl;
-               if (h->ip_hl > 5)       /* has options */
-                       pd->badopts++;
                pd->virtual_proto = (h->ip_off & htons(IP_MF | IP_OFFMASK)) ?
                     PF_VPROTO_FRAGMENT : pd->proto;