pf: should be enforcing TTL=1 to packets sent to 224.0.0.1 only.

Issue found and kindly reported by Luca Di Gregorio <lucdig _at_ gmail>

OK bluhm@

Obtained from:	OpenBSD, sashan <sashan@openbsd.org>, 58feb3ffc6
Sponsored by:	Rubicon Communications, LLC ("Netgate")

2 files changed, 12 insertions, 3 deletions

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 4325835c7671..a9d89afd58a1 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9997,9 +9997,12 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
 	pd->proto = h->ip_p;
 	/* IGMP packets have router alert options, allow them */
 	if (pd->proto == IPPROTO_IGMP) {
-		/* According to RFC 1112 ttl must be set to 1. */
-		if ((h->ip_ttl != 1) ||
-		    !IN_MULTICAST(ntohl(h->ip_dst.s_addr))) {
+		/*
+		 * According to RFC 1112 ttl must be set to 1 in all IGMP
+		 * packets sent to 224.0.0.1
+		 */
+		if ((h->ip_ttl != 1) &&
+		    (h->ip_dst.s_addr == INADDR_ALLHOSTS_GROUP)) {
 			DPFPRINTF(PF_DEBUG_MISC, "Invalid IGMP");
 			REASON_SET(reason, PFRES_IPOPTIONS);
 			return (PF_DROP);
diff --git a/tests/sys/netpfil/pf/igmp.py b/tests/sys/netpfil/pf/igmp.py
index b339a2825082..5d72a1c093a7 100644
--- a/tests/sys/netpfil/pf/igmp.py
+++ b/tests/sys/netpfil/pf/igmp.py
@@ -93,3 +93,9 @@ class TestIGMP(VnetTestTemplate):
             options=[sp.IPOption_Router_Alert()]) \
             / sc.igmp.IGMP(type=0x11, mrcode=1)
         assert not self.find_igmp_reply(pkt, ifname)
+
+        # Or with the wrong destination address
+        pkt = sp.IP(dst="224.0.0.2%%%s" % ifname, ttl=2,
+            options=[sp.IPOption_Router_Alert()]) \
+            / sc.igmp.IGMP(type=0x11, mrcode=1)
+        assert not self.find_igmp_reply(pkt, ifname)