On Tue, May 03, 2022 at 02:12:36PM +0200, Claudio Jeker wrote:
> On Tue, May 03, 2022 at 02:08:33PM +0200, Alexandr Nedvedicky wrote:
> > Hello
> >
> > On Tue, May 03, 2022 at 10:44:48AM +0200, Claudio Jeker wrote:
> >
> > >
> > > The RFC does not use the usual MUST to enforce any of this.
> > >
On Tue, May 03, 2022 at 02:08:33PM +0200, Alexandr Nedvedicky wrote:
> Hello
>
> On Tue, May 03, 2022 at 10:44:48AM +0200, Claudio Jeker wrote:
>
> >
> > The RFC does not use the usual MUST to enforce any of this.
> > So yes, we should probably not be too strict because there is no way to
> > fo
Hello
On Tue, May 03, 2022 at 10:44:48AM +0200, Claudio Jeker wrote:
>
> The RFC does not use the usual MUST to enforce any of this.
> So yes, we should probably not be too strict because there is no way to
> force accept the packet when pf_walk_header() returns PF_DROP.
>
> I agree that the TT
On Tue, May 03, 2022 at 10:10:23AM +0200, Alexandr Nedvedicky wrote:
> updated diff is below.
> thanks for taking a look at it.
OK bluhm@
> 8<---8<---8<--8<
> diff --git a/sys/net/pf.c b/sys/net/pf.c
> index f15e1ead8c0..bf9593952ec 100644
>
Hello,
On Tue, May 03, 2022 at 09:19:44AM +0200, Alexander Bluhm wrote:
> On Tue, May 03, 2022 at 12:26:52AM +0200, Alexandr Nedvedicky wrote:
> > OK ? or should I also drop a check for link-local source address
> > in IPv6?
>
> The link-local check makes sense.
>
> > + CLR(pd
On Tue, May 03, 2022 at 12:26:52AM +0200, Alexandr Nedvedicky wrote:
> OK ? or should I also drop a check for link-local source address
> in IPv6?
The link-local check makes sense.
> 8<---8<---8<--8<
> diff --git a/sys/net/pf.c b/sys/net/pf.
Hello,
>
> Checking that the TTL equals 1 is a good thing. We should prevent
> that someone is forwarding such packets.
>
> The router alert is a hint to routers on the way to look at these
> packets. If they are missing, no harm is done. Maybe some multicast
> does not work. But there is no
