summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/pfctl/parse.y88
1 files changed, 2 insertions, 86 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 814f64514f9..0c165c47611 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.601 2011/07/03 23:59:43 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.602 2011/07/04 03:36:14 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -63,13 +63,11 @@
static struct pfctl *pf = NULL;
static int debug = 0;
-static int rulestate = 0;
static u_int16_t returnicmpdefault =
(ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
static u_int16_t returnicmp6default =
(ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
static int blockpolicy = PFRULE_DROP;
-static int require_order = 0;
static int default_statelock;
TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files);
@@ -105,14 +103,6 @@ char *symget(const char *);
int atoul(char *, u_long *);
-enum {
- PFCTL_STATE_NONE,
- PFCTL_STATE_OPTION,
- PFCTL_STATE_QUEUE,
- PFCTL_STATE_NAT,
- PFCTL_STATE_FILTER
-};
-
struct node_proto {
u_int8_t proto;
struct node_proto *next;
@@ -362,7 +352,6 @@ int expand_queue(struct pf_altq *, struct node_if *,
struct node_queue_opt *);
int expand_skip_interface(struct node_if *);
-int check_rulestate(int);
int getservice(char *);
int rule_label(struct pf_rule *, char *);
@@ -457,7 +446,7 @@ int parseport(char *, struct range *r, int);
%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
%token REASSEMBLE ANCHOR
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
-%token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
+%token SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
%token ANTISPOOF FOR INCLUDE MATCHES
%token BITMASK RANDOM SOURCEHASH ROUNDROBIN LEASTSTATES STATICPORT PROBABILITY
%token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
@@ -577,15 +566,9 @@ optnodf : /* empty */ { $$ = 0; }
;
option : SET REASSEMBLE yesno optnodf {
- if (check_rulestate(PFCTL_STATE_OPTION))
- YYERROR;
pfctl_set_reassembly(pf, $3, $4);
}
| SET OPTIMIZATION STRING {
- if (check_rulestate(PFCTL_STATE_OPTION)) {
- free($3);
- YYERROR;
- }
if (pfctl_set_optimization(pf, $3) != 0) {
yyerror("unknown optimization %s", $3);
free($3);
@@ -604,10 +587,6 @@ option : SET REASSEMBLE yesno optnodf {
| SET LIMIT limit_spec
| SET LIMIT '{' optnl limit_list '}'
| SET LOGINTERFACE stringall {
- if (check_rulestate(PFCTL_STATE_OPTION)) {
- free($3);
- YYERROR;
- }
if (pfctl_set_logif(pf, $3) != 0) {
yyerror("error setting loginterface %s", $3);
free($3);
@@ -628,30 +607,16 @@ option : SET REASSEMBLE yesno optnodf {
| SET BLOCKPOLICY DROP {
if (pf->opts & PF_OPT_VERBOSE)
printf("set block-policy drop\n");
- if (check_rulestate(PFCTL_STATE_OPTION))
- YYERROR;
blockpolicy = PFRULE_DROP;
}
| SET BLOCKPOLICY RETURN {
if (pf->opts & PF_OPT_VERBOSE)
printf("set block-policy return\n");
- if (check_rulestate(PFCTL_STATE_OPTION))
- YYERROR;
blockpolicy = PFRULE_RETURN;
}
- | SET REQUIREORDER yesno {
- if (pf->opts & PF_OPT_VERBOSE)
- printf("set require-order %s\n",
- $3 == 1 ? "yes" : "no");
- require_order = $3;
- }
| SET FINGERPRINTS STRING {
if (pf->opts & PF_OPT_VERBOSE)
printf("set fingerprints \"%s\"\n", $3);
- if (check_rulestate(PFCTL_STATE_OPTION)) {
- free($3);
- YYERROR;
- }
if (!pf->anchor->name[0]) {
if (pfctl_file_fingerprints(pf->dev,
pf->opts, $3)) {
@@ -676,10 +641,6 @@ option : SET REASSEMBLE yesno optnodf {
default_statelock = $3;
}
| SET DEBUG STRING {
- if (check_rulestate(PFCTL_STATE_OPTION)) {
- free($3);
- YYERROR;
- }
if (pfctl_set_debug(pf, $3) != 0) {
yyerror("error setting debuglevel %s", $3);
free($3);
@@ -796,12 +757,6 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
struct pf_rule r;
struct node_proto *proto;
- if (check_rulestate(PFCTL_STATE_FILTER)) {
- if ($2)
- free($2);
- YYERROR;
- }
-
if ($2 && ($2[0] == '_' || strstr($2, "/_") != NULL)) {
free($2);
yyerror("anchor names beginning with '_' "
@@ -1037,9 +992,6 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
struct node_host *h = NULL, *hh;
struct node_if *i, *j;
- if (check_rulestate(PFCTL_STATE_FILTER))
- YYERROR;
-
for (i = $3; i; i = i->next) {
bzero(&r, sizeof(r));
@@ -1295,9 +1247,6 @@ table_opt : STRING {
altqif : ALTQ interface queue_opts QUEUE qassign {
struct pf_altq a;
- if (check_rulestate(PFCTL_STATE_QUEUE))
- YYERROR;
-
memset(&a, 0, sizeof(a));
if ($3.scheduler.qtype == ALTQT_NONE) {
yyerror("no scheduler specified!");
@@ -1319,13 +1268,7 @@ altqif : ALTQ interface queue_opts QUEUE qassign {
queuespec : QUEUE STRING interface queue_opts qassign {
struct pf_altq a;
- if (check_rulestate(PFCTL_STATE_QUEUE)) {
- free($2);
- YYERROR;
- }
-
memset(&a, 0, sizeof(a));
-
if (strlcpy(a.qname, $2, sizeof(a.qname)) >=
sizeof(a.qname)) {
yyerror("queue name too long (max "
@@ -1683,11 +1626,7 @@ pfrule : action dir logquick interface af proto fromto
int adaptive = 0;
int defaults = 0;
- if (check_rulestate(PFCTL_STATE_FILTER))
- YYERROR;
-
memset(&r, 0, sizeof(r));
-
r.action = $1.b1;
switch ($1.b2) {
case PFRULE_RETURNRST:
@@ -3846,10 +3785,6 @@ routespec : route_host { $$ = $1; }
timeout_spec : STRING NUMBER
{
- if (check_rulestate(PFCTL_STATE_OPTION)) {
- free($1);
- YYERROR;
- }
if ($2 < 0 || $2 > UINT_MAX) {
yyerror("only positive values permitted");
YYERROR;
@@ -3869,10 +3804,6 @@ timeout_list : timeout_list comma timeout_spec optnl
limit_spec : STRING NUMBER
{
- if (check_rulestate(PFCTL_STATE_OPTION)) {
- free($1);
- YYERROR;
- }
if ($2 < 0 || $2 > UINT_MAX) {
yyerror("only positive values permitted");
YYERROR;
@@ -5036,18 +4967,6 @@ freehostlist(struct node_host *h)
#undef LOOP_THROUGH
int
-check_rulestate(int desired_state)
-{
- if (require_order && (rulestate > desired_state)) {
- yyerror("Rules must be in order: options, normalization, "
- "queueing, translation, filtering");
- return (1);
- }
- rulestate = desired_state;
- return (0);
-}
-
-int
kw_cmp(const void *k, const void *e)
{
return (strcmp(k, ((const struct keywords *)e)->k_name));
@@ -5142,7 +5061,6 @@ lookup(char *s)
{ "reassemble", REASSEMBLE},
{ "received-on", RECEIVEDON},
{ "reply-to", REPLYTO},
- { "require-order", REQUIREORDER},
{ "return", RETURN},
{ "return-icmp", RETURNICMP},
{ "return-icmp6", RETURNICMP6},
@@ -5539,12 +5457,10 @@ parse_config(char *filename, struct pfctl *xpf)
pf = xpf;
errors = 0;
- rulestate = PFCTL_STATE_NONE;
returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
returnicmp6default =
(ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
blockpolicy = PFRULE_DROP;
- require_order = 0;
if ((file = pushfile(filename, 0)) == NULL) {
warn("cannot open the main config file!");
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-23 14:01:50 +0000