---
- branch: netbsd-8
  date: Fri Apr 19 09:10:50 UTC 2019
  files:
  - new: 1.10.6.1
    old: '1.10'
    path: src/usr.sbin/npf/npfctl/npf_bpf_comp.c
    pathrev: src/usr.sbin/npf/npfctl/npf_bpf_comp.c@1.10.6.1
    type: modified
  - new: 1.44.4.1
    old: '1.44'
    path: src/usr.sbin/npf/npfctl/npf_build.c
    pathrev: src/usr.sbin/npf/npfctl/npf_build.c@1.44.4.1
    type: modified
  id: 20190419T091050Z.dfc5cdf0607372c9a8c204d689732e1e50ee0988
  log: "Pull up following revision(s) (requested by tih in ticket #1232):\n\n\tusr.sbin/npf/npfctl/npf_build.c:
    revision 1.48\n\tusr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.12\n\nSummary:
    Ensure default TCP flags are applied to rules like 'pass stateful all'\n\nThe
    documented default \"flags S/SAFR\" for stateful rules that affect\nTCP packets
    but don't specify any flags, doesn't actually get applied\nto a rule like \"pass
    stateful out all\". The big problem with this is\nthat when you then do a \"block
    return-rst\" for an incoming packet, the\ngenerated RST packet will create state
    for the connection attempt it's\nblocking, so that a second attempt from the same
    source will pass.\n\nThis change makes the default flags actually apply to such
    simple\nrules.  It also fixes a related bug in the code generation for the\nflag
    matching, where part of the action could erroneously be omitted.\n\nReviewed by
    <rmind>\nCloses PR bin/54124\nPullup to NetBSD 8\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/usr.sbin/npf/npfctl'
  unixtime: '1555665050'
  user: martin