summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2003-05-25 17:07:29 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2003-05-25 17:07:29 +0000
commitbe35fdf489bb7a12617e776e4dbb242c84325636 (patch)
treef670e665829b37824aff435072776d26d4426bab
parentb739883ab3001796d2ec57cdb891f95353190e65 (diff)
must not run check_netmask() before remove_invalid_hosts() - binat case had it
wrong for the redirection target. reported by jared r r spiegel <jrrs@ice-nine.org>
-rw-r--r--sbin/pfctl/parse.y6
1 files changed, 3 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0426f69e24c..b2c34548178 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.388 2003/05/19 20:21:53 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.389 2003/05/25 17:07:28 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -2693,8 +2693,6 @@ binatrule : no BINAT interface af proto FROM host TO ipspec tag
$11->host, "invalid use of table <%s> as the "
"redirect address of a binat rule"))
YYERROR;
- if ($11 != NULL && check_netmask($11->host, binat.af))
- YYERROR;
if ($7 != NULL) {
if ($7->next) {
@@ -2751,6 +2749,8 @@ binatrule : no BINAT interface af proto FROM host TO ipspec tag
"a single address");
YYERROR;
}
+ if (check_netmask($11->host, binat.af))
+ YYERROR;
if (!PF_AZERO(&binat.src.addr.v.a.mask,
binat.af) &&