From be35fdf489bb7a12617e776e4dbb242c84325636 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Sun, 25 May 2003 17:07:29 +0000 Subject: must not run check_netmask() before remove_invalid_hosts() - binat case had it wrong for the redirection target. reported by jared r r spiegel --- sbin/pfctl/parse.y | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sbin/pfctl') diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 0426f69e24c..b2c34548178 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.388 2003/05/19 20:21:53 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.389 2003/05/25 17:07:28 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -2693,8 +2693,6 @@ binatrule : no BINAT interface af proto FROM host TO ipspec tag $11->host, "invalid use of table <%s> as the " "redirect address of a binat rule")) YYERROR; - if ($11 != NULL && check_netmask($11->host, binat.af)) - YYERROR; if ($7 != NULL) { if ($7->next) { @@ -2751,6 +2749,8 @@ binatrule : no BINAT interface af proto FROM host TO ipspec tag "a single address"); YYERROR; } + if (check_netmask($11->host, binat.af)) + YYERROR; if (!PF_AZERO(&binat.src.addr.v.a.mask, binat.af) && -- cgit v1.2.3