diff options
| author | jim-p <jimp@pfsense.org> | 2013-06-18 10:51:25 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2013-06-18 10:52:29 -0400 |
| commit | 57fa70112a9ab5bec06f5dd64bf0d987dfdae159 (patch) | |
| tree | 5cd76eb265aaa8dac53694a8a44f54f416e6aa3a /etc/inc | |
| parent | bca506d4318970a497f0b369e3c6558d359f37f9 (diff) | |
| download | pfsense-57fa70112a9ab5bec06f5dd64bf0d987dfdae159.zip pfsense-57fa70112a9ab5bec06f5dd64bf0d987dfdae159.tar.gz | |
Ensure that we only add a state type on pass, and that we only add flags to a TCP reject rule if they were not added previously. Fixes #3050
Diffstat (limited to 'etc/inc')
| -rw-r--r-- | etc/inc/filter.inc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 7635cc8..6d7bd9e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2293,7 +2293,8 @@ function filter_generate_user_rule($rule) { } else { $aline['flags'] = "flags S/SA "; } - + } + if (($rule['protocol'] == "tcp") && ($type == "pass")) { /* * # keep state * works with TCP, UDP, and ICMP. @@ -2369,7 +2370,7 @@ function filter_generate_user_rule($rule) { $aline['flags'] .= " ) "; } } - if($type == "reject" && $rule['protocol'] == "tcp") { + if($type == "reject" && $rule['protocol'] == "tcp" && (strpos($aline['flags'], 'flags') === false)) { /* special reject packet */ $aline['flags'] .= "flags S/SA "; } |
