diff options
| author | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2020-12-07 08:29:42 +0000 |
|---|---|---|
| committer | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2020-12-07 08:29:42 +0000 |
| commit | eef7bfe021f4232957095fce2a6571fd9394e6c7 (patch) | |
| tree | ff2d375d728d96411ea04ef22d5ae0ddc8638c0e /sbin | |
| parent | 4042a9e180f0ec2664570a99773601827201a4e4 (diff) | |
synproxy should be processing incoming SYN packets only.
issue noticed by sthen@. fix discussed with bluhm@ and procter@
OK bluhm@, kn@, procter@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index f06171158cb..ed259dfa565 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.704 2020/10/01 14:02:08 kn Exp $ */ +/* $OpenBSD: parse.y,v 1.705 2020/12/07 08:29:41 sashan Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -4042,6 +4042,12 @@ rule_consistent(struct pf_rule *r) "synproxy state or modulate state"); problems++; } + + if ((r->keep_state == PF_STATE_SYNPROXY) && (r->direction != PF_IN)) + fprintf(stderr, "%s:%d: warning: " + "synproxy used for inbound rules only, " + "ignored for outbound\n", file->name, yylval.lineno); + if ((r->nat.addr.type != PF_ADDR_NONE || r->rdr.addr.type != PF_ADDR_NONE) && r->action != PF_MATCH && !r->keep_state) { |