summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2002-07-15 13:36:03 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2002-07-15 13:36:03 +0000
commitea00a7e233b147b4c12055547eb876df90b6f6bb (patch)
treee9cfc9727a5ab76e0f24d19603060032a8c8907b /sbin
parent1d46f2640a734b8385548724292e25bc017da429 (diff)
o complain about keep state on block rules
o complain about return-rst on rules which aren't limited to tcp pointed out by not-slacking-but-testing pb@ ok pb@, dhartmei@
Diffstat (limited to 'sbin')
-rw-r--r--sbin/pfctl/parse.y10
1 files changed, 9 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index f45eef6b3dd..0e5cb47c55f 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.117 2002/07/13 18:36:02 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.118 2002/07/15 13:36:02 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -1620,6 +1620,14 @@ rule_consistent(struct pf_rule *r)
yyerror("fragments can be filtered only on IP header fields");
problems++;
}
+ if (r->rule_flag & PFRULE_RETURNRST && r->proto != IPPROTO_TCP) {
+ yyerror("return-rst can only be applied to TCP rules");
+ problems++;
+ }
+ if (r->action == PF_DROP && r->keep_state) {
+ yyerror("keep state on block rules doesn't make sense");
+ problems++;
+ }
return (-problems);
}