Hi,
pf blocks IPv4 options, so it should block IPv6 option headers as well.
I am not aware of common use cases where option headers are essential.
For special things allow-opts can be added to pf.conf, but I don't
want to break usual setups.
Did I forget something? Could you test this on real IPv6 links and
report fallout?
bluhm
Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.1030
diff -u -p -r1.1030 pf.c
--- net/pf.c 28 May 2017 16:55:54 -0000 1.1030
+++ net/pf.c 28 May 2017 19:53:25 -0000
@@ -6128,6 +6128,8 @@ pf_walk_header(struct pf_pdesc *pd, stru
REASON_SET(reason, PFRES_SHORT);
return (PF_DROP);
}
+ if (hlen != sizeof(struct ip))
+ pd->badopts++;
end = pd->off + ntohs(h->ip_len);
pd->off += hlen;
pd->proto = h->ip_p;
@@ -6238,6 +6240,11 @@ pf_walk_header6(struct pf_pdesc *pd, str
for (hdr_cnt = 0; hdr_cnt < pf_hdr_limit; hdr_cnt++) {
switch (pd->proto) {
+ case IPPROTO_HOPOPTS:
+ case IPPROTO_DSTOPTS:
+ pd->badopts++;
+ }
+ switch (pd->proto) {
case IPPROTO_FRAGMENT:
if (fraghdr_cnt++) {
DPFPRINTF(LOG_NOTICE, "IPv6 multiple fragment");
@@ -6392,8 +6399,6 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_f
pd->tot_len = ntohs(h->ip_len);
pd->tos = h->ip_tos & ~IPTOS_ECN_MASK;
pd->ttl = h->ip_ttl;
- if (h->ip_hl > 5) /* has options */
- pd->badopts++;
pd->virtual_proto = (h->ip_off & htons(IP_MF | IP_OFFMASK)) ?
PF_VPROTO_FRAGMENT : pd->proto;
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.563
diff -u -p -r1.563 pf.conf.5
--- share/man/man5/pf.conf.5 22 May 2017 19:15:29 -0000 1.563
+++ share/man/man5/pf.conf.5 28 May 2017 16:02:51 -0000
@@ -462,18 +462,19 @@ This is equivalent to
.Ql from any to any .
.Pp
.It Cm allow-opts
-By default, IPv4 packets with IP options or IPv6 packets with routing
-extension headers are blocked.
+By default, packets with IPv4 options or IPv6 destination or
+hop-by-hop option headers are blocked.
When
.Cm allow-opts
is specified for a
.Ic pass
rule, packets that pass the filter based on that rule (last matching)
-do so even if they contain IP options or routing extension headers.
+do so even if they contain options.
For packets that match state, the rule that initially created the
state is used.
-The implicit pass rule that is used when a packet does not match
-any rules does not allow IP options.
+The implicit pass rule, that is used when a packet does not match
+any rules, does not allow IP options or option headers.
+Note that IPv6 packets with type 0 routing headers are always dropped.
.Pp
.It Cm divert-packet port Ar port
Used to send matching packets to
