diff options
| -rw-r--r-- | UPDATING | 9 | ||||
| -rw-r--r-- | sys/contrib/ipfilter/netinet/fil.c | 2 | ||||
| -rw-r--r-- | sys/contrib/ipfilter/netinet/ip_state.c | 3 |
3 files changed, 12 insertions, 2 deletions
@@ -21,6 +21,15 @@ from older version of current across the gcc/clang cutover is a bit fragile. use any explicitly assigned loopback address available in the jail instead of using the first assigned address of the jail. +20170413: + As of r316810 for ipfilter, keep frags is no longer assumed when + keep state is specified in a rule. r316810 aligns ipfilter with + documentation in man pages separating keep frags from keep state. + This allows keep state to specified without forcing keep frags + and allows keep frags to be specified independently of keep state. + To maintain previous behaviour, also specify keep frags with + keep state (as documented in ipf.conf.5). + 20170402: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 4.0.0. Please see the 20141231 entry below for information about prerequisites diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 0aeb44b..4a73243 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -2786,7 +2786,7 @@ ipf_firewall(fin, passp) * If the rule has "keep frag" and the packet is actually a fragment, * then create a fragment state entry. */ - if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { + if (pass & FR_KEEPFRAG) { if (fin->fin_flx & FI_FRAG) { if (ipf_frag_new(softc, fin, pass) == -1) { LBUMP(ipf_stats[out].fr_bnfr); diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 34a64f0..a450901 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -3414,7 +3414,8 @@ ipf_state_check(fin, passp) * If this packet is a fragment and the rule says to track fragments, * then create a new fragment cache entry. */ - if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) + if (fin->fin_flx & FI_FRAG && FR_ISPASS(is->is_pass) && + is->is_pass & FR_KEEPFRAG) (void) ipf_frag_new(softc, fin, is->is_pass); /* |
