diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2011-07-13 20:57:11 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2011-07-13 20:57:11 +0000 |
| commit | 8d05411f0b5a7743b30876332409fd67036ed867 (patch) | |
| tree | e9219f0020958a603290bde7441ca85812688f3c /sbin/pfctl/parse.y | |
| parent | c4c4e2eacec88eebc886b69ab13584738d2dcbc0 (diff) | |
Force user to specify protocol when filtering on user, gid, and os
attributes (this is now required by pf_rule_test().
ok sthen henning
Diffstat (limited to 'sbin/pfctl/parse.y')
| -rw-r--r-- | sbin/pfctl/parse.y | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 72593e6c361..de30e7c443e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.604 2011/07/08 18:52:47 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.605 2011/07/13 20:57:10 mcbride Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -3941,11 +3941,25 @@ rule_consistent(struct pf_rule *r, int anchor_call) { int problems = 0; + if (r->proto != IPPROTO_TCP && r->os_fingerprint != PF_OSFP_ANY) { + yyerror("os only applies to tcp"); + problems++; + } if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && (r->src.port_op || r->dst.port_op)) { yyerror("port only applies to tcp/udp"); problems++; } + if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && + r->uid.op) { + yyerror("user only applies to tcp/udp"); + problems++; + } + if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && + r->gid.op) { + yyerror("group only applies to tcp/udp"); + problems++; + } if (r->proto != IPPROTO_ICMP && r->proto != IPPROTO_ICMPV6 && (r->type || r->code)) { yyerror("icmp-type/code only applies to icmp"); |