diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2002-07-15 13:36:03 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2002-07-15 13:36:03 +0000 |
commit | ea00a7e233b147b4c12055547eb876df90b6f6bb (patch) | |
tree | e9cfc9727a5ab76e0f24d19603060032a8c8907b /sbin | |
parent | 1d46f2640a734b8385548724292e25bc017da429 (diff) |
o complain about keep state on block rules
o complain about return-rst on rules which aren't limited to tcp
pointed out by not-slacking-but-testing pb@
ok pb@, dhartmei@
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/pfctl/parse.y | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index f45eef6b3dd..0e5cb47c55f 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.117 2002/07/13 18:36:02 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.118 2002/07/15 13:36:02 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1620,6 +1620,14 @@ rule_consistent(struct pf_rule *r) yyerror("fragments can be filtered only on IP header fields"); problems++; } + if (r->rule_flag & PFRULE_RETURNRST && r->proto != IPPROTO_TCP) { + yyerror("return-rst can only be applied to TCP rules"); + problems++; + } + if (r->action == PF_DROP && r->keep_state) { + yyerror("keep state on block rules doesn't make sense"); + problems++; + } return (-problems); } |