From bfcbb272c6f4c3341685dc0476a56cd2df40548c Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Thu, 28 Dec 2017 11:37:44 +0000
Subject: [PATCH] pf drops IPv4 packets with any options by default.  For IPv6
 the same is already done for options header.  Add the routing extension
 header to the list that need "allow-opts" to pass. OK sashan@ visa@

---
 sys/net/pf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 27a1f9e696b..274f9608e7e 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1051 2017/12/24 14:18:19 bluhm Exp $ */
+/*	$OpenBSD: pf.c,v 1.1052 2017/12/28 11:37:44 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -6326,9 +6326,11 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
 
 	for (hdr_cnt = 0; hdr_cnt < pf_hdr_limit; hdr_cnt++) {
 		switch (pd->proto) {
+		case IPPROTO_ROUTING:
 		case IPPROTO_HOPOPTS:
 		case IPPROTO_DSTOPTS:
 			pd->badopts++;
+			break;
 		}
 		switch (pd->proto) {
 		case IPPROTO_FRAGMENT:
-- 
2.20.1