diff options
| author |   henning <henning@openbsd.org> | 2010-09-24 09:17:46 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2010-09-24 09:17:46 +0000 |
| commit | 0e0692541148b6ae01f19ee81ec73c81ec81e432 (patch) | |
| tree | f2dd45b968ceba92c69d81184af1427eb5d49c25 | |
| parent | remove dying flag in detach() function. (diff) | |
| download | wireguard-openbsd-0e0692541148b6ae01f19ee81ec73c81ec81e432.tar.xz wireguard-openbsd-0e0692541148b6ae01f19ee81ec73c81ec81e432.zip | |
remove the check that enforced rdr-to only inbound and nat-to only outbound.
both now can be used in both directions. the kernel allowed that ever since
we did the great NAT rewrite.
still enforce that a direction is given, a rule with rdr-to and/or nat-to
and no direction is pretty certainly an error (which it would work,
technically)
ok ryan claudio dlg
| -rw-r--r-- | sbin/pfctl/parse.y | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 272a27f2644..1c9f401c314 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.593 2010/09/22 06:02:59 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.594 2010/09/24 09:17:46 henning Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -4009,12 +4009,9 @@ rule_consistent(struct pf_rule *r, int anchor_call) yyerror("nat-to and rdr-to require keep state"); problems++; } - if (r->nat.addr.type != PF_ADDR_NONE && r->direction != PF_OUT) { - yyerror("nat-to can only be used outbound"); - problems++; - } - if (r->rdr.addr.type != PF_ADDR_NONE && r->direction != PF_IN) { - yyerror("rdr-to can only be used inbound"); + if (r->direction == PF_INOUT && (r->nat.addr.type != PF_ADDR_NONE || + r->rdr.addr.type != PF_ADDR_NONE)) { + yyerror("nat-to and rdr-to require a direction"); problems++; } |