From: sashan Date: Sat, 4 Mar 2023 10:55:37 +0000 (+0000) Subject: pf(4) should be enforcing TTL=1 to packets sent to 224.0.0.1 only. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=58feb3ffc6e4325f32e45913d0699eeb367a8a88;p=openbsd pf(4) should be enforcing TTL=1 to packets sent to 224.0.0.1 only. Issue found and kindly reported by Luca Di Gregorio OK bluhm@ --- diff --git a/sys/net/pf.c b/sys/net/pf.c index 8cb1326a160..a1a334ffb1c 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1171 2023/01/22 23:05:51 yasuoka Exp $ */ +/* $OpenBSD: pf.c,v 1.1172 2023/03/04 10:55:37 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6846,8 +6846,12 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason) pd->proto = h->ip_p; /* IGMP packets have router alert options, allow them */ if (pd->proto == IPPROTO_IGMP) { - /* According to RFC 1112 ttl must be set to 1. */ - if ((h->ip_ttl != 1) || !IN_MULTICAST(h->ip_dst.s_addr)) { + /* + * According to RFC 1112 ttl must be set to 1 in all IGMP + * packets sent to 224.0.0.1 + */ + if ((h->ip_ttl != 1) && + (h->ip_dst.s_addr == INADDR_ALLHOSTS_GROUP)) { DPFPRINTF(LOG_NOTICE, "Invalid IGMP"); REASON_SET(reason, PFRES_IPOPTIONS); return (PF_DROP);