diff options
| author |   bluhm <bluhm@openbsd.org> | 2016-11-23 12:13:23 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2016-11-23 12:13:23 +0000 |
| commit | 1bcfad03f2ad7d9f6cadeb048244c88c37b9dcfe (patch) | |
| tree | 8aa9a9ef92ea5a4c4703eed042429af79066ef3c | |
| parent | M_*WAIT* flags cannot be treated as boolean values (diff) | |
| download | wireguard-openbsd-1bcfad03f2ad7d9f6cadeb048244c88c37b9dcfe.tar.xz wireguard-openbsd-1bcfad03f2ad7d9f6cadeb048244c88c37b9dcfe.zip | |
Explicitly forbid to combine af-to with route-to in pfctl. The
parser cannot handle that correctly and is is unclear wether the
kernel code would work. Remove the feature until someone needs it
and properly implements and tests it.
OK mike@ sashan@ mpi@
| -rw-r--r-- | sbin/pfctl/parse.y | 7 | ||||
| -rw-r--r-- | sys/net/pf.c | 32 |
2 files changed, 16 insertions, 23 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index e2eae6c4926..b853a42549c 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.655 2016/08/26 06:06:58 guenther Exp $ */ +/* $OpenBSD: parse.y,v 1.656 2016/11/23 12:13:23 bluhm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1530,6 +1530,11 @@ pfrule : action dir logquick interface af proto fromto yyerror("af-to can only be used with direction in"); YYERROR; } + if (($8.marker & FOM_AFTO) && $8.route.rt) { + yyerror("af-to cannot be used together with " + "route-to, reply-to, dup-to"); + YYERROR; + } r.af = $5; if ($8.tag) diff --git a/sys/net/pf.c b/sys/net/pf.c index b749f03ebda..7316c70e731 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1001 2016/11/22 19:29:54 procter Exp $ */ +/* $OpenBSD: pf.c,v 1.1002 2016/11/23 12:13:23 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6878,28 +6878,16 @@ done: action = PF_DROP; break; } - if (r->rt) { - switch (pd.naf) { - case AF_INET: - pf_route(&pd, r, s); - break; - case AF_INET6: - pf_route6(&pd, r, s); - break; - } - } - if (pd.m) { - pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; - switch (pd.naf) { - case AF_INET: - ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0); - break; - case AF_INET6: - ip6_output(pd.m, NULL, NULL, 0, NULL, NULL); - break; - } - pd.m = NULL; + pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; + switch (pd.naf) { + case AF_INET: + ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0); + break; + case AF_INET6: + ip6_output(pd.m, NULL, NULL, 0, NULL, NULL); + break; } + pd.m = NULL; action = PF_PASS; break; #endif /* INET6 */ |