I've noticed a few of these PF log entries that were logging traffic
passed and containing IP options:
Sep 30 22:52:12.586548 rule 32/(ip-option) [uid 0, pid 9872] pass in on sis1:
10.0.1.23.1031 > x.x.13.31.10000: [udp sum ok] udp 68 (ttl 255, id 5,
len 100, optlen=4 IPOPT-148{4})
4600 0064 0005 0000 ff11 4709 0a00 0117
xxxx 0d1f 9404 0000 0407 2710 004c 0c4a
b38e b558 0000 0002 60a9 3aea 66c6 929b
9f98 00bb cdac ef28 9b28 c96d 970b 0b81
c834 1336 a7bb 6e8c 5cb5 1a57 93f4 51ec
3ae5 f0b2 e17c 9ac8 b13a 06c8 5bd1 59a9
9292 8fc5
Sep 30 22:52:13.478540 rule 32/(ip-option) [uid 0, pid 9872] pass in on sis1:
10.0.1.23.1031 > x.x.13.31.10000: [udp sum ok] udp 68 (ttl 255, id 23,
len 100, optlen=4 IPOPT-148{4})
4600 0064 0017 0000 ff11 46f7 0a00 0117
xxxx 0d1f 9404 0000 0407 2710 004c ee73
b38e b558 0000 0014 5d3f 9355 fec2 166e
abd4 dd96 419a 70f0 4b44 ef4b 4ef3 5a7a
35bd 3cc1 0f02 c857 29ce 2d23 6a22 7694
ecf0 6afe a634 92e0 82fa 332b 2f84 70d3
b743 5759
The rule that this matched is as follows:
@32 pass in on sis1 inet from any to ! 10.0.1.1 flags S/SA keep state
[ Evaluations: 84252 Packets: 5119148 Bytes: 2733671124 States: 29 ]
[ Inserted: uid 0 pid 9872 ]
I was under the belief that packets with IP options were dropped but
this appears to be passed and logged. Is it because this is an
explicit pass rule and packets with IP options are only dropped if the
default pass rule is matched? I figured from pf.conf(5) that the
packets would be dropped unless allow-opts was specified:
allow-opts
By default, packets which contain IP options are blocked. When
allow-opts is specified for a pass rule, packets that pass the fil-
ter based on that rule (last matching) do so even if they contain
IP options. For packets that match state, the rule that initially
created the state is used. The implicit pass rule that is used
when a packet does not match any rules does not allow IP options.
This host is running OpenBSD 4.0/i386.
DS
