Module Name: src
Committed By: tih
Date: Wed Apr 17 20:41:59 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c
Log Message:
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
CVS: ----------------------------------------------------------------------
CVS: CVSROOT cvs.NetBSD.org:/cvsroot
CVS: please use "PR category/123" to have the commitmsg appended to PR 123
CVS:
CVS: Please evaluate your changes and consider the following.
CVS: Abort checkin if you answer no.
CVS: => For all changes:
CVS: Do the changed files compile?
CVS: Has the change been tested?
CVS: => If you are not completely familiar with the changed components:
CVS: Has the change been posted for review?
CVS: Have you allowed enough time for feedback?
CVS: => If the change is major:
CVS: => If the change adds files to, or removes files from $DESTDIR:
CVS: => If you are changing a library or kernel interface:
CVS: Have you successfully run "./build.sh release"?
The documented default "flags S/SAFR" for stateful rules that affect
TCP packets but don't specify any flags, doesn't actually get applied
to a rule like "pass stateful out all". The big problem with this is
that when you then do a "block return-rst" for an incoming packet, the
generated RST packet will create state for the connection attempt it's
blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple
rules. It also fixes a related bug in the code generation for the
flag matching, where part of the action could erroneously be omitted.
Reviewed by <rmind>
Closes PR bin/54124
Pullup to NetBSD 8
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.47 -r1.48 src/usr.sbin/npf/npfctl/npf_build.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
