PR/54124 CVS commit: [netbsd-8] src/usr.sbin/npf/npfctl

["Martin Husemann" <martin%netbsd.org@localhost>]

The following reply was made to PR bin/54124; it has been noted by GNATS.

From: "Martin Husemann" <martin%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/54124 CVS commit: [netbsd-8] src/usr.sbin/npf/npfctl
Date: Fri, 19 Apr 2019 09:10:50 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Fri Apr 19 09:10:50 UTC 2019
 
 Modified Files:
 	src/usr.sbin/npf/npfctl [netbsd-8]: npf_bpf_comp.c npf_build.c
 
 Log Message:
 Pull up following revision(s) (requested by tih in ticket #1232):
 
 	usr.sbin/npf/npfctl/npf_build.c: revision 1.48
 	usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.12
 
 Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
 
 The documented default "flags S/SAFR" for stateful rules that affect
 TCP packets but don't specify any flags, doesn't actually get applied
 to a rule like "pass stateful out all". The big problem with this is
 that when you then do a "block return-rst" for an incoming packet, the
 generated RST packet will create state for the connection attempt it's
 blocking, so that a second attempt from the same source will pass.
 
 This change makes the default flags actually apply to such simple
 rules.  It also fixes a related bug in the code generation for the
 flag matching, where part of the action could erroneously be omitted.
 
 Reviewed by <rmind>
 Closes PR bin/54124
 Pullup to NetBSD 8
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.10 -r1.10.6.1 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
 cvs rdiff -u -r1.44 -r1.44.4.1 src/usr.sbin/npf/npfctl/npf_build.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.