From 1a36de8090ca93b96cbcf1600aa926043c3cd362 Mon Sep 17 00:00:00 2001
From: kris <kris@FreeBSD.org>
Date: Tue, 23 Jan 2001 21:11:28 +0000
Subject: Fix the vulnerability with TCP ECE packets recently fixed in ipfw.
 This is untested, but believed to work.

---
 sbin/ip6fw/ip6fw.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sbin/ip6fw')

diff --git a/sbin/ip6fw/ip6fw.c b/sbin/ip6fw/ip6fw.c
index a25fed5..0c5b3b4 100644
--- a/sbin/ip6fw/ip6fw.c
+++ b/sbin/ip6fw/ip6fw.c
@@ -364,7 +364,7 @@ show_ip6fw(struct ip6_fw *chain)
 		if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_OPTS)   PRINTOPT("!opts");
 	}
 
-	if (chain->fw_tcpf & IPV6_FW_TCPF_ESTAB)
+	if (chain->fw_ipflg & IPV6_FW_IF_TCPEST)
 		printf(" established");
 	else if (chain->fw_tcpf == IPV6_FW_TCPF_SYN &&
 	    chain->fw_tcpnf == IPV6_FW_TCPF_ACK)
@@ -1060,7 +1060,7 @@ badviacombo:
 		}
 		if (rule.fw_prot == IPPROTO_TCP) {
 			if (!strncmp(*av,"established",strlen(*av))) {
-				rule.fw_tcpf  |= IPV6_FW_TCPF_ESTAB;
+				rule.fw_ipflg |= IPV6_FW_IF_TCPEST;
 				av++; ac--; continue;
 			}
 			if (!strncmp(*av,"setup",strlen(*av))) {
-- 
cgit v1.1