- route-to, dup-to, reply-to should not override the block action

  Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>

ok jung@, ok mikeb@

2 files changed, 19 insertions, 5 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index f7f6ea24f97..d3b4340975d 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.648 2015/04/21 16:34:59 mikeb Exp $	*/
+/*	$OpenBSD: parse.y,v 1.649 2015/09/01 19:12:25 sashan Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -3997,8 +3997,9 @@ rule_consistent(struct pf_rule *r, int anchor_call)
 		problems++;
 	}
 
-	/* match rules rules */
-	if (r->action == PF_MATCH) {
+	/* Basic rule sanity check. */
+	switch (r->action) {
+	case PF_MATCH:
 		if (r->divert.port) {
 			yyerror("divert is not supported on match rules");
 			problems++;
@@ -4009,13 +4010,22 @@ rule_consistent(struct pf_rule *r, int anchor_call)
 		}
 		if (r->rt) {
 			yyerror("route-to, reply-to and dup-to "
-			   "must not be used on match rules");
+			   "are not supported on match rules");
 			problems++;
 		}
 		if (r->rule_flag & PFRULE_AFTO) {
 			yyerror("af-to is not supported on match rules");
 			problems++;
 		}
+		break;
+	case PF_DROP:
+		if (r->rt) {
+			yyerror("route-to, reply-to and dup-to "
+			   "are not supported on block rules");
+			problems++;
+		}
+		break;
+	default:;
 	}
 	return (-problems);
 }
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 73e85007b00..e89e694906d 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.936 2015/08/19 21:22:41 sashan Exp $ */
+/*	$OpenBSD: pf.c,v 1.937 2015/09/01 19:12:25 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -6622,6 +6622,10 @@ done:
 		action = PF_PASS;
 		break;
 #endif /* INET6 */
+	case PF_DROP:
+		m_freem(*m0);
+		*m0 = NULL;
+		break;
 	default:
 		/* pf_route can free the mbuf causing *m0 to become NULL */
 		if (r->rt) {