98e9034765
usr.sbin/npf/npfctl/npf_build.c: revision 1.48 usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.12 Summary: Ensure default TCP flags are applied to rules like 'pass stateful all' The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass. This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted. Reviewed by <rmind> Closes PR bin/54124 Pullup to NetBSD 8 |
||
|---|---|---|
| .. | ||
| npfctl | ||
| npfd | ||
| npftest | ||
| Makefile | ||
| Makefile.inc | ||
| npf.7 | ||