aboutsummaryrefslogtreecommitdiff
path: root/sys/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'sys/contrib')
-rw-r--r--sys/contrib/ipfilter/netinet/fil.c2
-rw-r--r--sys/contrib/ipfilter/netinet/ip_state.c3
2 files changed, 3 insertions, 2 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index 1c2a90fdeea4..91a7f9069b91 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -2786,7 +2786,7 @@ ipf_firewall(fin, passp)
* If the rule has "keep frag" and the packet is actually a fragment,
* then create a fragment state entry.
*/
- if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
+ if (pass & FR_KEEPFRAG) {
if (fin->fin_flx & FI_FRAG) {
if (ipf_frag_new(softc, fin, pass) == -1) {
LBUMP(ipf_stats[out].fr_bnfr);
diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c
index 34a64f02eb8a..c6b3059934a6 100644
--- a/sys/contrib/ipfilter/netinet/ip_state.c
+++ b/sys/contrib/ipfilter/netinet/ip_state.c
@@ -3414,7 +3414,8 @@ ipf_state_check(fin, passp)
* If this packet is a fragment and the rule says to track fragments,
* then create a new fragment cache entry.
*/
- if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass))
+ if (((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) &&
+ ((is->is_pass & FR_KEEPFRAG)))
(void) ipf_frag_new(softc, fin, is->is_pass);
/*
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-21 02:09:38 +0000