cannot have queue definitions inside anchors.

don't attempt to load them and err out if we run into one
ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly

2 files changed, 13 insertions, 5 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 8269af81963..f00319bd2d4 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.625 2013/10/12 12:16:11 henning Exp $	*/
+/*	$OpenBSD: parse.y,v 1.626 2013/10/17 19:59:54 henning Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -4735,7 +4735,10 @@ expand_queue(char *qname, struct node_if *interfaces, struct queue_opts *opts)
 		qspec.flags = opts->flags;
 		qspec.qlimit = opts->qlimit;
 
-		pfctl_add_queue(pf, &qspec);
+		if (pfctl_add_queue(pf, &qspec)) {
+			yyerror("cannot add queue");
+			return (1);
+		}
 	);
 
 	FREE_LIST(struct node_if, interfaces);
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 9fb5cb58e16..813281cd2d1 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.c,v 1.319 2013/10/12 12:16:11 henning Exp $ */
+/*	$OpenBSD: pfctl.c,v 1.320 2013/10/17 19:59:54 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1108,6 +1108,11 @@ pfctl_add_queue(struct pfctl *pf, struct pf_queuespec *q)
 {
 	struct pfctl_qsitem	*qi;
 
+	if (pf->anchor->name[0]) {
+		printf("must not have queue definitions in an anchor\n");
+		return (1);
+	}
+
 	if ((qi = calloc(1, sizeof(*qi))) == NULL)
 		err(1, "calloc");
 	bcopy(q, &qi->qs, sizeof(qi->qs));
@@ -1503,8 +1508,8 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
 			goto _error;
 	}
 
-	if (pfctl_check_qassignments(&pf.anchor->ruleset) ||
-	    pfctl_load_queues(&pf)) {
+	if (!anchorname[0] && (pfctl_check_qassignments(&pf.anchor->ruleset) ||
+	    pfctl_load_queues(&pf))) {
 		if ((opts & PF_OPT_NOACTION) == 0)
 			ERRX("Unable to load queues into kernel");
 		else