diff options
author | Sebastian Benoit <benno@cvs.openbsd.org> | 2016-06-21 13:40:44 +0000 |
---|---|---|
committer | Sebastian Benoit <benno@cvs.openbsd.org> | 2016-06-21 13:40:44 +0000 |
commit | 2a1bf2629227c7e6e15a6ba668b950482062ccca (patch) | |
tree | 325e1b2777ed2f954e3e09cb92b9221f9c63ca0f | |
parent | c6e36e7d9eeee176f30e9e10152f1d11333ab6a3 (diff) |
the manpage documents that af-to does not work on pass out rules, but
the pf.conf parser allows it, which leads a non working configuration
being loaded.
this changes the parser to make pass out .. af-to an error.
ok henning@ mikeb@
-rw-r--r-- | sbin/pfctl/parse.y | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 934438cbe6b..776eb12abda 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.650 2016/06/16 15:46:20 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.651 2016/06/21 13:40:43 benno Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1518,6 +1518,9 @@ pfrule : action dir logquick interface af proto fromto } if ($8.marker & FOM_AFTO) r.rule_flag |= PFRULE_AFTO; + if ($8.marker & FOM_AFTO && r.direction != PF_IN) + yyerror("af-to can only be used with direction in"); + YYERROR; r.af = $5; if ($8.tag) |