summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkn <kn@cvs.openbsd.org>2018-07-16 08:29:09 +0000
committerkn <kn@cvs.openbsd.org>2018-07-16 08:29:09 +0000
commita0a27cf932c8bab8c256d6d25659d8240235eb27 (patch)
treedfd8d04dab116c3dece0db4b30c6e7587a928bc6
parente0eeb3ddc4408fb0b5392935a019e1e1a8417845 (diff)
reduce duplicate code, fix typo/free correct buffer
In filteropts_to_rule(): * Merge `once' handling from `anchorrule' and `pfrule' * Remove/shorten duplicate code block * Fix typo I introduced with r1.678 that frees the wrong buffer (twice) OK sashan
-rw-r--r--sbin/pfctl/parse.y40
1 files changed, 11 insertions, 29 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index dcae4959c55..7792c66f3dc 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.681 2018/07/13 08:41:15 kn Exp $ */
+/* $OpenBSD: parse.y,v 1.682 2018/07/16 08:29:08 kn Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -938,12 +938,6 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
YYERROR;
}
- if ($9.marker & FOM_ONCE) {
- yyerror("cannot specify 'once' "
- "on anchors");
- YYERROR;
- }
-
decide_address_family($8.src.host, &r.af);
decide_address_family($8.dst.host, &r.af);
@@ -1560,15 +1554,6 @@ pfrule : action dir logquick interface af proto fromto
if (filteropts_to_rule(&r, &$8))
YYERROR;
- if ($8.marker & FOM_ONCE) {
- if (r.action == PF_MATCH) {
- yyerror("can't specify once for "
- "match rules");
- YYERROR;
- }
- r.rule_flag |= PFRULE_ONCE;
- }
-
if ($8.flags.b1 || $8.flags.b2 || $7.src_os) {
for (proto = $6; proto != NULL &&
proto->proto != IPPROTO_TCP;
@@ -5879,6 +5864,13 @@ rdomain_exists(u_int rdomain)
int
filteropts_to_rule(struct pf_rule *r, struct filter_opts *opts)
{
+ if (opts->marker & FOM_ONCE) {
+ if (r->action != PF_PASS && r->action != PF_MATCH) {
+ yyerror("'once' only applies to pass/block rules");
+ return (1);
+ }
+ r->rule_flag |= PFRULE_ONCE;
+ }
r->keep_state = opts->keep.action;
r->pktrate.limit = opts->pktrate.limit;
@@ -5929,12 +5921,6 @@ filteropts_to_rule(struct pf_rule *r, struct filter_opts *opts)
}
if (opts->marker & FOM_SCRUB_TCP)
r->scrub_flags |= PFSTATE_SCRUB_TCP;
- if (opts->marker & FOM_PRIO) {
- if (opts->prio == 0)
- r->prio = PF_PRIO_ZERO;
- else
- r->prio = opts->prio;
- }
if (opts->marker & FOM_SETDELAY) {
r->delay = opts->delay;
r->rule_flag |= PFRULE_SETDELAY;
@@ -5948,12 +5934,8 @@ filteropts_to_rule(struct pf_rule *r, struct filter_opts *opts)
r->scrub_flags |= PFSTATE_SETTOS;
r->set_tos = opts->settos;
}
- if (opts->marker & FOM_PRIO) {
- if (opts->prio == 0)
- r->prio = PF_PRIO_ZERO;
- else
- r->prio = opts->prio;
- }
+ if (opts->marker & FOM_PRIO)
+ r->prio = opts->prio ? opts->prio : PF_PRIO_ZERO;
if (opts->marker & FOM_SETPRIO) {
r->set_prio[0] = opts->set_prio[0];
r->set_prio[1] = opts->set_prio[1];
@@ -5983,7 +5965,7 @@ filteropts_to_rule(struct pf_rule *r, struct filter_opts *opts)
"%d chars)", sizeof(r->pqname)-1);
return (1);
}
- free(opts->queues.qname);
+ free(opts->queues.pqname);
}
if (opts->fragment)