? sbin/ipfw/ipfw
? sbin/ipfw/ipfw.8.gz
Index: sbin/ipfw/ipfw.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.80.2.7
diff -u -r1.80.2.7 ipfw.c
--- sbin/ipfw/ipfw.c	2000/10/17 13:44:55	1.80.2.7
+++ sbin/ipfw/ipfw.c	2001/01/09 18:26:37
@@ -426,7 +426,7 @@
 		if (chain->fw_ipnopt & IP_FW_IPOPT_TS)   PRINTOPT("!ts");
 	} 
 
-	if (chain->fw_tcpf & IP_FW_TCPF_ESTAB) 
+	if (chain->fw_ipflg & IP_FW_IF_TCPEST)
 		printf(" established");
 	else if (chain->fw_tcpf == IP_FW_TCPF_SYN &&
 	    chain->fw_tcpnf == IP_FW_TCPF_ACK)
@@ -1893,7 +1893,7 @@
 		}
 		if (rule.fw_prot == IPPROTO_TCP) {
 			if (!strncmp(*av,"established",strlen(*av))) { 
-				rule.fw_tcpf  |= IP_FW_TCPF_ESTAB;
+				rule.fw_ipflg |= IP_FW_IF_TCPEST;
 				av++; ac--; continue;
 			}
 			if (!strncmp(*av,"setup",strlen(*av))) { 
Index: sys/netinet/ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.10
diff -u -r1.131.2.10 ip_fw.c
--- sys/netinet/ip_fw.c	2000/11/07 09:50:58	1.131.2.10
+++ sys/netinet/ip_fw.c	2001/01/09 18:26:37
@@ -244,10 +244,16 @@
 tcpflg_match(struct tcphdr *tcp, struct ip_fw *f)
 {
 	u_char		flg_set, flg_clr;
-	
-	if ((f->fw_tcpf & IP_FW_TCPF_ESTAB) &&
-	    (tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK)))
-		return 1;
+
+	/*
+	 * If an established connection is required, reject packets that
+	 * have only SYN of RST|ACK|SYN set.  Otherwise, fall through to
+	 * other flag requirements.
+	 */
+	if ((f->fw_ipflg & IP_FW_IF_TCPEST) &&
+	    ((tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK |
+	    IP_FW_TCPF_SYN)) == IP_FW_TCPF_SYN))
+		return 0;
 
 	flg_set = tcp->th_flags & f->fw_tcpf;
 	flg_clr = tcp->th_flags & f->fw_tcpnf;
@@ -1208,7 +1214,9 @@
 
 			if (f->fw_tcpopt != f->fw_tcpnopt && !tcpopts_match(tcp, f))
 				continue;
-			if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f))
+			if (((f->fw_tcpf != f->fw_tcpnf) ||
+			    (f->fw_ipflg & IP_FW_IF_TCPEST))  &&
+			    !tcpflg_match(tcp, f))
 				continue;
 			goto check_ports;
 		    }
Index: sys/netinet/ip_fw.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.47.2.4
diff -u -r1.47.2.4 ip_fw.h
--- sys/netinet/ip_fw.h	2001/01/09 18:11:40	1.47.2.4
+++ sys/netinet/ip_fw.h	2001/01/09 18:26:37
@@ -211,6 +211,8 @@
 /*
  * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols.
  */
+#define	IP_FW_IF_TCPEST	0x00000020	/* established TCP connection */
+#define	IP_FW_IF_TCPMSK	0x00000020	/* mask of all TCP values */
 
 /*
  * For backwards compatibility with rules specifying "via iface" but
@@ -252,7 +254,6 @@
 #define IP_FW_TCPF_PSH		TH_PUSH
 #define IP_FW_TCPF_ACK		TH_ACK
 #define IP_FW_TCPF_URG		TH_URG
-#define IP_FW_TCPF_ESTAB	0x40
 
 /*
  * Main firewall chains definitions and global var's definitions.