HomeFreeBSD

pf: test rules evaluation in the face of multiple IPv6 fragment headers

Description

pf: test rules evaluation in the face of multiple IPv6 fragment headers

Send an ICMPv6 echo request packet with multiple IPv6 fragment headers.
Set rules to pass all packets, except for ICMPv6 echo requests.

pf ought to drop the echo request, but doesn't because it reassembles
the packet, and then doesn't handle the second fragment header. In other
words: it fails to detect the ICMPv6 echo header.

Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
MFC after: instant
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit b23dbabb7f3edb3f323a64f03e37be2c9a8b2a45)

Details

Provenance
kpAuthored on Jul 13 2023, 6:34 AM
Parents
rG3a0461f23a4f: pf: handle multiple IPv6 fragment headers
Branches
Unknown
Tags
Unknown