diff options
| author | jim-p <jimp@pfsense.org> | 2013-06-18 10:51:25 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2013-06-18 10:54:04 -0400 |
| commit | 5015ec4cd0c497ca1db68e7393d2898ba57efb0b (patch) | |
| tree | b7508b99fbd6ab676a4de962d96ede6f9d3b01a8 /etc | |
| parent | d17c7b79f1349e3b500b951443032dfa153d32ee (diff) | |
| download | pfsense-5015ec4cd0c497ca1db68e7393d2898ba57efb0b.zip pfsense-5015ec4cd0c497ca1db68e7393d2898ba57efb0b.tar.gz | |
Ensure that we only add a state type on pass, and that we only add flags to a TCP reject rule if they were not added previously. Fixes #3050
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 7635cc8..6d7bd9e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2293,7 +2293,8 @@ function filter_generate_user_rule($rule) { } else { $aline['flags'] = "flags S/SA "; } - + } + if (($rule['protocol'] == "tcp") && ($type == "pass")) { /* * # keep state * works with TCP, UDP, and ICMP. @@ -2369,7 +2370,7 @@ function filter_generate_user_rule($rule) { $aline['flags'] .= " ) "; } } - if($type == "reject" && $rule['protocol'] == "tcp") { + if($type == "reject" && $rule['protocol'] == "tcp" && (strpos($aline['flags'], 'flags') === false)) { /* special reject packet */ $aline['flags'] .= "flags S/SA "; } |
