On Sat, Mar 04, 2023 at 12:09:41AM +0100, Alexandr Nedvedicky wrote:
> 6847 /* IGMP packets have router alert options, allow them */
> 6848 if (pd->proto == IPPROTO_IGMP) {
> 6849 /*
> 6850 * According to RFC 1112 ttl must be set to 1 in all IGMP
> 6851 * packets sent do 224.0.0.1
> 6852 */
> 6853 if ((h->ip_ttl != 1) &&
> 6854 (h->ip_dst.s_addr == INADDR_ALLHOSTS_GROUP)) {
> 6855 DPFPRINTF(LOG_NOTICE, "Invalid IGMP");
> 6856 REASON_SET(reason, PFRES_IPOPTIONS);
> 6857 return (PF_DROP);
> 6858 }
> 6859 CLR(pd->badopts, PF_OPT_ROUTER_ALERT);
>
> This change should make pf(4) reasonably paranoid while keeping IGMP working.
OK bluhm@
