Require a direction to be specified for rules which do routing.

ok dhartmei@ henning@

2 files changed, 11 insertions, 2 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 668976aa9d1..a5d44e0ab29 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.271 2002/12/30 23:46:54 mcbride Exp $	*/
+/*	$OpenBSD: parse.y,v 1.272 2003/01/02 11:34:59 mcbride Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -1108,6 +1108,11 @@ pfrule		: action dir logquick interface route af proto fromto
 			decide_address_family($8.dst.host, &r.af);
 
 			if ($5.rt) {
+				if(!r.direction) {
+					yyerror("direction must be explicit "
+					    "with rules that specify routing");
+					YYERROR;
+				}
 				r.rt = $5.rt;
 				r.rpool.opts = $5.pool_opts;
 			}
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 828443a7985..b520be303ec 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.39 2003/01/01 16:07:01 henning Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.40 2003/01/02 11:34:59 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -604,6 +604,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			}
 		}
 
+		if (rule->rt && !rule->direction)
+			error = EINVAL;
 		if (pf_dynaddr_setup(&rule->src.addr, rule->af))
 			error = EINVAL;
 		if (pf_dynaddr_setup(&rule->dst.addr, rule->af))
@@ -823,6 +825,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			} else
 				newrule->ifp = NULL;
 
+			if (newrule->rt && !newrule->direction)
+				error = EINVAL;
 			if (pf_dynaddr_setup(&newrule->src.addr, newrule->af))
 				error = EINVAL;
 			if (pf_dynaddr_setup(&newrule->dst.addr, newrule->af))