Tweaks:

- Make sure we allow only tables in round-robin pools for routing options,
same as what we do for translation rules.
- Don't reject rules like: "nat on sis0 -> <foo>" because
"no address family is given". This is perfectly valid.
ok henning@

1 files changed, 21 insertions, 7 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 49f0c1b6ce8..c3eb7faf739 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.410 2003/08/22 21:50:34 david Exp $	*/
+/*	$OpenBSD: parse.y,v 1.411 2003/08/24 13:02:28 cedric Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -1449,10 +1449,16 @@ pfrule		: action dir logquick interface route af proto fromto
 					    "matching address family found.");
 					YYERROR;
 				}
+				if (r.rpool.opts == PF_POOL_NONE && (
+				    $5.host->next != NULL ||
+				    $5.host->addr.type == PF_ADDR_TABLE))
+					r.rpool.opts = PF_POOL_ROUNDROBIN;
+				if (r.rpool.opts != PF_POOL_ROUNDROBIN)
+					if (disallow_table($5.host, "tables "
+					    "are only supported in round-robin "
+					    "routing pools"))
+						YYERROR;
 				if ($5.host->next != NULL) {
-					if (r.rpool.opts == PF_POOL_NONE)
-						r.rpool.opts =
-						    PF_POOL_ROUNDROBIN;
 					if (r.rpool.opts !=
 					    PF_POOL_ROUNDROBIN) {
 						yyerror("r.rpool.opts must "
@@ -4360,9 +4366,17 @@ int
 invalid_redirect(struct node_host *nh, sa_family_t af)
 {
 	if (!af) {
-		yyerror("address family not given and translation "
-		    "address expands to multiple address families");
-		return (1);
+		struct node_host *n;
+
+		/* only tables are ok without an address family */
+		for(n = nh; n != NULL; n = n->next) {
+			if(n->addr.type != PF_ADDR_TABLE) {
+				yyerror("address family not given and "
+				    "translation address expands to multiple "
+				    "address families");
+				return (1);
+			}
+		}
 	}
 	if (nh == NULL) {
 		yyerror("no translation address with matching address family "