Reject rules with invalid port ranges

Ranges where the left boundary is bigger than the right one are always bogus
as they work like `port any' (`port 34<>12' means "all ports") or in way
that inverts the rule's action (`pass ... port 34:12' means "pass no port at
all").

Add checks for all ranges and invalidate those that yield no or all ports.

For this to work on redirections, make pfctl(8) pass the range's type,
otherwise boundary including ranges are not detected as such;  that is to
say, `struct pf_pool's `port_op' member was unused in the kernel so far.

`rdr-to' rules with invalid ranges could panic the kernel when hit.
Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com

OK sashan

1 files changed, 4 insertions, 2 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index ed259dfa565..26027e3841b 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.705 2020/12/07 08:29:41 sashan Exp $	*/
+/*	$OpenBSD: parse.y,v 1.706 2020/12/16 18:00:44 kn Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -4615,8 +4615,10 @@ apply_redirspec(struct pf_pool *rpool, struct pf_rule *r, struct redirspec *rs,
 		if (!rs->rdr->rport.b && rs->rdr->rport.t) {
 			rpool->proxy_port[1] = ntohs(rs->rdr->rport.a) +
 			    (ntohs(np->port[1]) - ntohs(np->port[0]));
-		} else
+		} else {
+			rpool->port_op = rs->rdr->rport.t;
 			rpool->proxy_port[1] = ntohs(rs->rdr->rport.b);
+		}
 	} else {
 		rpool->proxy_port[1] = ntohs(rs->rdr->rport.b);
 		if (!rpool->proxy_port[0] && !rpool->proxy_port[1]) {