summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--UPDATING9
-rw-r--r--sys/contrib/ipfilter/netinet/fil.c2
-rw-r--r--sys/contrib/ipfilter/netinet/ip_state.c3
3 files changed, 12 insertions, 2 deletions
diff --git a/UPDATING b/UPDATING
index ac5d364..bcc948f 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,15 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
+20170413:
+ As of r316810 for ipfilter, keep frags is no longer assumed when
+ keep state is specified in a rule. r316810 aligns ipfilter with
+ documentation in man pages separating keep frags from keep state.
+ This allows keep state to specified without forcing keep frags
+ and allows keep frags to be specified independently of keep state.
+ To maintain previous behaviour, also specify keep frags with
+ keep state (as documented in ipf.conf.5).
+
20170323:
The code that provides support for ZFS .zfs/ directory functionality
has been reimplemented. It's not possible now to create a snapshot
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index 55a2a4d..00e4a81 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -2752,7 +2752,7 @@ ipf_firewall(fin, passp)
* If the rule has "keep frag" and the packet is actually a fragment,
* then create a fragment state entry.
*/
- if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
+ if (pass & FR_KEEPFRAG) {
if (fin->fin_flx & FI_FRAG) {
if (ipf_frag_new(softc, fin, pass) == -1) {
LBUMP(ipf_stats[out].fr_bnfr);
diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c
index 2ceec32..0d90505 100644
--- a/sys/contrib/ipfilter/netinet/ip_state.c
+++ b/sys/contrib/ipfilter/netinet/ip_state.c
@@ -3408,7 +3408,8 @@ ipf_state_check(fin, passp)
* If this packet is a fragment and the rule says to track fragments,
* then create a new fragment cache entry.
*/
- if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass))
+ if (fin->fin_flx & FI_FRAG && FR_ISPASS(is->is_pass) &&
+ is->is_pass & FR_KEEPFRAG)
(void) ipf_frag_new(softc, fin, is->is_pass);
/*
OpenPOWER on IntegriCloud