summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2003-05-13 23:02:16 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2003-05-13 23:02:16 +0000
commit9f1874ae0ed270cc09f53906922475ab9322ce8f (patch)
treecde5da45c3767054ab13341806f8bf5b70dfdd69
parentf4472ee177825a5e03f08200a5fc363dd83be032 (diff)
make sure tagging is only ever used with stateful filter rules
-rw-r--r--sbin/pfctl/parse.y6
1 files changed, 5 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index f087cbbccf9..221a669a556 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.375 2003/05/13 21:15:07 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.376 2003/05/13 23:02:15 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -2954,6 +2954,10 @@ filter_consistent(struct pf_rule *r)
yyerror("keep state on block rules doesn't make sense");
problems++;
}
+ if ((r->tagname[0] || r->match_tagname[0]) && !r->keep_state) {
+ yyerror("tags cannot be used without keep state");
+ problems++;
+ }
return (-problems);
}