Skip to content

Commit d60afdb

Browse files
tihrmind
authored andcommitted
Ensure default TCP flags are applied to 'pass stateful all' (#33)
1 parent b5c006b commit d60afdb

File tree

2 files changed

+5
-6
lines changed

2 files changed

+5
-6
lines changed

src/npfctl/npf_bpf_comp.c

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -565,10 +565,8 @@ npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t tf, uint8_t tf_mask, bool checktcp)
565565
};
566566
add_insns(ctx, insns_cmp, __arraycount(insns_cmp));
567567

568-
if (!checktcp) {
569-
uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask};
570-
done_block(ctx, mwords, sizeof(mwords));
571-
}
568+
uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask};
569+
done_block(ctx, mwords, sizeof(mwords));
572570
}
573571

574572
/*

src/npfctl/npf_build.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -363,7 +363,7 @@ static bool
363363
npfctl_build_code(nl_rule_t *rl, sa_family_t family, const opt_proto_t *op,
364364
const filt_opts_t *fopts)
365365
{
366-
bool noproto, noaddrs, noports, need_tcpudp = false;
366+
bool noproto, noaddrs, noports, nostate, need_tcpudp = false;
367367
const addr_port_t *apfrom = &fopts->fo_from;
368368
const addr_port_t *apto = &fopts->fo_to;
369369
const int proto = op->op_proto;
@@ -375,7 +375,8 @@ npfctl_build_code(nl_rule_t *rl, sa_family_t family, const opt_proto_t *op,
375375
noproto = family == AF_UNSPEC && proto == -1 && !op->op_opts;
376376
noaddrs = !apfrom->ap_netaddr && !apto->ap_netaddr;
377377
noports = !apfrom->ap_portrange && !apto->ap_portrange;
378-
if (noproto && noaddrs && noports) {
378+
nostate = !(npf_rule_getattr(rl) & NPF_RULE_STATEFUL);
379+
if (noproto && noaddrs && noports && nostate) {
379380
return false;
380381
}
381382

0 commit comments

Comments
 (0)