diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-07-08 11:46:33 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-07-08 11:46:33 +0000 |
| commit | 7011033ef1e190ba532360de2ea255957fb02fe7 (patch) | |
| tree | f8f87b28e73ffe319c76dc51a3e7af3f35636d6a /sbin | |
| parent | cff520855adb0e1ee9d0bb3fac4928cd0f19fe5b (diff) | |
Don't allow 'flags' option in non-TCP rules, found by mpech@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/parse.y | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index b9cc12b4d9a..d803ea7cfa4 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.112 2002/07/05 18:09:50 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.113 2002/07/08 11:46:32 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1607,6 +1607,10 @@ rule_consistent(struct pf_rule *r) yyerror("port only applies to tcp/udp"); problems++; } + if (r->proto != IPPROTO_TCP && (r->flags || r->flagset)) { + yyerror("flags only applies to tcp"); + problems++; + } if (r->proto != IPPROTO_ICMP && r->proto != IPPROTO_ICMPV6 && (r->type || r->code)) { yyerror("icmp-type/code only applies to icmp"); |