diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2003-05-25 17:07:29 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2003-05-25 17:07:29 +0000 |
commit | be35fdf489bb7a12617e776e4dbb242c84325636 (patch) | |
tree | f670e665829b37824aff435072776d26d4426bab | |
parent | b739883ab3001796d2ec57cdb891f95353190e65 (diff) |
must not run check_netmask() before remove_invalid_hosts() - binat case had it
wrong for the redirection target.
reported by jared r r spiegel <jrrs@ice-nine.org>
-rw-r--r-- | sbin/pfctl/parse.y | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 0426f69e24c..b2c34548178 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.388 2003/05/19 20:21:53 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.389 2003/05/25 17:07:28 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -2693,8 +2693,6 @@ binatrule : no BINAT interface af proto FROM host TO ipspec tag $11->host, "invalid use of table <%s> as the " "redirect address of a binat rule")) YYERROR; - if ($11 != NULL && check_netmask($11->host, binat.af)) - YYERROR; if ($7 != NULL) { if ($7->next) { @@ -2751,6 +2749,8 @@ binatrule : no BINAT interface af proto FROM host TO ipspec tag "a single address"); YYERROR; } + if (check_netmask($11->host, binat.af)) + YYERROR; if (!PF_AZERO(&binat.src.addr.v.a.mask, binat.af) && |