1 files changed, 13 insertions, 4 deletions

diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index ed319d4..146e70a 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -97,7 +97,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $";
 #endif
 
 #ifndef	_KERNEL
@@ -1076,7 +1076,7 @@ int out;
 		fin->fin_fr = fr;
 		if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
 			if (fin->fin_fl & FI_FRAG) {
-				if (ipfr_newfrag(ip, fin, pass) == -1) {
+				if (ipfr_newfrag(ip, fin) == -1) {
 					ATOMIC_INCL(frstats[out].fr_bnfr);
 				} else {
 					ATOMIC_INCL(frstats[out].fr_nfr);
@@ -1191,7 +1191,16 @@ logit:
 		 * some operating systems.
 		 */
 		if (!out) {
-			if (pass & FR_RETICMP) {
+			if (changed == -1)
+				/*
+				 * If a packet results in a NAT error, do not
+				 * send a reset or ICMP error as it may disrupt
+				 * an existing flow.  This is the proxy saying
+				 * the content is bad so just drop the packet
+				 * silently.
+				 */
+				;
+			else if (pass & FR_RETICMP) {
 				int dst;
 
 				if ((pass & FR_RETMASK) == FR_FAKEICMP)
@@ -1501,7 +1510,7 @@ nodata:
  * SUCH DAMAGE.
  *
  *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $
  */
 /*
  * Copy data from an mbuf chain starting "off" bytes from the beginning,