git: 7dc48056c87b - stable/14 - ipfw: use only needed TCP flags for state tracking
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 21 Jan 2025 11:37:03 UTC
The branch stable/14 has been updated by ae:
URL: https://cgit.FreeBSD.org/src/commit/?id=7dc48056c87b2100f2841d48dbb45a46ffdae934
commit 7dc48056c87b2100f2841d48dbb45a46ffdae934
Author: Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2024-12-12 12:57:45 +0000
Commit: Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2025-01-21 11:35:40 +0000
ipfw: use only needed TCP flags for state tracking
This fixes stateful firewall failures after adding TH_AE flag
into TH_FLAGS.
Reported by: ronald
Fixes: 347dd05
(cherry picked from commit 9ea8d692f4cb552902b9e8394260d7f3cf4aefb0)
---
sys/netpfil/ipfw/ip_fw_dynamic.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c
index 283032048845..d26e05e5d159 100644
--- a/sys/netpfil/ipfw/ip_fw_dynamic.c
+++ b/sys/netpfil/ipfw/ip_fw_dynamic.c
@@ -920,7 +920,8 @@ print_dyn_rule_flags(const struct ipfw_flow_id *id, int dyn_type,
#define _SEQ_GE(a,b) ((int)((a)-(b)) >= 0)
#define BOTH_SYN (TH_SYN | (TH_SYN << 8))
#define BOTH_FIN (TH_FIN | (TH_FIN << 8))
-#define TCP_FLAGS (TH_FLAGS | (TH_FLAGS << 8))
+#define BOTH_RST (TH_RST | (TH_RST << 8))
+#define TCP_FLAGS (BOTH_SYN | BOTH_FIN | BOTH_RST)
#define ACK_FWD 0x00010000 /* fwd ack seen */
#define ACK_REV 0x00020000 /* rev ack seen */
#define ACK_BOTH (ACK_FWD | ACK_REV)