diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2004-12-08 01:27:24 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2004-12-08 01:27:24 +0000 |
| commit | 6a883523f7c9392d917e26827b1583b5aedd283c (patch) | |
| tree | a75a32282a65fb9b5e42375bc2d4c302620aba9b /sbin/pfctl/parse.y | |
| parent | 89cff5c6a4c1f35c2606b633c6f94a536f48ca85 (diff) | |
Add "'overload' requires 'max-src-conn' or 'max-src-conn-rate'" sanity check,
fix some cut-n-paste mayhem in other related checks.
Diffstat (limited to 'sbin/pfctl/parse.y')
| -rw-r--r-- | sbin/pfctl/parse.y | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 0615f2f0ed6..7b9da3f0026 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.467 2004/12/07 10:33:41 dhartmei Exp $ */ +/* $OpenBSD: parse.y,v 1.468 2004/12/08 01:27:23 mcbride Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1708,14 +1708,14 @@ pfrule : action dir logquick interface route af proto fromto YYERROR; } if (srctrack == PF_SRCTRACK_GLOBAL && - r.max_src_nodes) { + r.max_src_conn) { yyerror("'max-src-conn' is " "incompatible with " "'source-track global'"); YYERROR; } if (srctrack == PF_SRCTRACK_GLOBAL && - r.max_src_nodes) { + r.max_src_conn_rate.seconds) { yyerror("'max-src-conn-rate' is " "incompatible with " "'source-track global'"); @@ -3683,6 +3683,12 @@ filter_consistent(struct pf_rule *r) yyerror("must indicate address family with icmp-type/code"); problems++; } + if (r->overload_tblname[0] && + r->max_src_conn == 0 && r->max_src_conn_rate.seconds == 0) { + yyerror("'overload' requires 'max-src-conn' " + "or 'max-src-conn-rate'"); + problems++; + } if ((r->proto == IPPROTO_ICMP && r->af == AF_INET6) || (r->proto == IPPROTO_ICMPV6 && r->af == AF_INET)) { yyerror("proto %s doesn't match address family %s", |