diff options
Diffstat (limited to 'sys/contrib')
-rw-r--r-- | sys/contrib/ipfilter/netinet/fil.c | 2 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_state.c | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 1c2a90fdeea4..91a7f9069b91 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -2786,7 +2786,7 @@ ipf_firewall(fin, passp) * If the rule has "keep frag" and the packet is actually a fragment, * then create a fragment state entry. */ - if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { + if (pass & FR_KEEPFRAG) { if (fin->fin_flx & FI_FRAG) { if (ipf_frag_new(softc, fin, pass) == -1) { LBUMP(ipf_stats[out].fr_bnfr); diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 34a64f02eb8a..c6b3059934a6 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -3414,7 +3414,8 @@ ipf_state_check(fin, passp) * If this packet is a fragment and the rule says to track fragments, * then create a new fragment cache entry. */ - if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) + if (((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) && + ((is->is_pass & FR_KEEPFRAG))) (void) ipf_frag_new(softc, fin, is->is_pass); /* |