DF-0516
ip6opts_match bails to opts_check on short first mbuf: IPv6 option matching silently skipped -> firewall bypass
Summary
ip6opts_match(:256-259): if((*m)->m_len<*off+sizeof(*ip6e)) goto opts_check. If first mbuf doesnt contain next ext header (mbuf chain split, no m_pullup) -> bails to opts_check which returns 1(match) when opts==0&&nopts==nopts_sve. Rule requesting fw_ip6opt(require presence e.g. hop-by-hop) or fw_ip6nopt(require absence) silently treated as matching packet whose option chain couldnt be walked. Attacker crafts IPv6 with headers spanning mbuf boundary -> firewall bypass for option-keyed rules. Fix: m_pullup before bail, return no-match on failure.