summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSebastian Benoit <benno@cvs.openbsd.org>2016-06-21 13:40:44 +0000
committerSebastian Benoit <benno@cvs.openbsd.org>2016-06-21 13:40:44 +0000
commit2a1bf2629227c7e6e15a6ba668b950482062ccca (patch)
tree325e1b2777ed2f954e3e09cb92b9221f9c63ca0f
parentc6e36e7d9eeee176f30e9e10152f1d11333ab6a3 (diff)
the manpage documents that af-to does not work on pass out rules, but
the pf.conf parser allows it, which leads a non working configuration being loaded. this changes the parser to make pass out .. af-to an error. ok henning@ mikeb@
-rw-r--r--sbin/pfctl/parse.y5
1 files changed, 4 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 934438cbe6b..776eb12abda 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.650 2016/06/16 15:46:20 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.651 2016/06/21 13:40:43 benno Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -1518,6 +1518,9 @@ pfrule : action dir logquick interface af proto fromto
}
if ($8.marker & FOM_AFTO)
r.rule_flag |= PFRULE_AFTO;
+ if ($8.marker & FOM_AFTO && r.direction != PF_IN)
+ yyerror("af-to can only be used with direction in");
+ YYERROR;
r.af = $5;
if ($8.tag)