d3100ce6fd
The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass. This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted. Reviewed by <rmind> Closes PR bin/54124 Pullup to NetBSD 8
The NPF project upstream repository: https://github.com/rmind/npf/ Please submit the pull requests to the upstream when possible.