DF-0470
Disabling ip6_hdrnestlimit sysctl (=0) removes only ext-header depth bound: no hard floor
Summary
Ext-header loop bounded by if(ip6_hdrnestlimit && ++nest>ip6_hdrnestlimit)(:693). Short-circuit means sysctl net.inet6.ip6.hdrnestlimit=0 (default 50) disables check entirely. No hard-coded floor. Operator setting 0 lets attacker drive arbitrarily deep ext-header chains bounded only by pkt size. Configurable CPU amplification. Default config safe. Fix: treat 0 as default-50 or enforce internal HARD_MAX independent of operator input.