Module Name: src
Committed By: martin
Date: Fri Apr 19 09:10:50 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl [netbsd-8]: npf_bpf_comp.c npf_build.c
Log Message:
Pull up following revision(s) (requested by tih in ticket #1232):
usr.sbin/npf/npfctl/npf_build.c: revision 1.48
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.12
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
The documented default "flags S/SAFR" for stateful rules that affect
TCP packets but don't specify any flags, doesn't actually get applied
to a rule like "pass stateful out all". The big problem with this is
that when you then do a "block return-rst" for an incoming packet, the
generated RST packet will create state for the connection attempt it's
blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple
rules. It also fixes a related bug in the code generation for the
flag matching, where part of the action could erroneously be omitted.
Reviewed by <rmind>
Closes PR bin/54124
Pullup to NetBSD 8
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.10.6.1 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.44 -r1.44.4.1 src/usr.sbin/npf/npfctl/npf_build.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
