diff options
| author |   cedric <cedric@openbsd.org> | 2003-01-25 15:37:00 +0000 |
|---|---|---|
| committer | cedric <cedric@openbsd.org> | 2003-01-25 15:37:00 +0000 |
| commit | 1f2c5b6a97ec1819700b888ec8be1147d85ad8d5 (patch) | |
| tree | 327f35532c0122c731a37565ba99c37c24900ebe | |
| parent | don't send more than half of the send buffer space limit in (diff) | |
| download | wireguard-openbsd-1f2c5b6a97ec1819700b888ec8be1147d85ad8d5.tar.xz wireguard-openbsd-1f2c5b6a97ec1819700b888ec8be1147d85ad8d5.zip | |
Correctly check illegal constructs with tables. Better error messages.
ok dhartmei@ pass all regress tests.
| -rw-r--r-- | sbin/pfctl/parse.y | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 7563271693b..ddf7858bb8c 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.296 2003/01/25 00:51:40 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.297 2003/01/25 15:37:00 cedric Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -211,6 +211,7 @@ struct queue_opts { } queue_opts; int yyerror(char *, ...); +int disallow_table(struct node_host *, char *); int rule_consistent(struct pf_rule *); int nat_consistent(struct pf_rule *); int rdr_consistent(struct pf_rule *); @@ -2220,6 +2221,10 @@ natrule : no NAT interface af proto fromto redirpool pooltype staticport "address'"); YYERROR; } + if (disallow_table($7->host, "invalid use of " + "table <%s> as the redirection address " + "a nat rule")) + YYERROR; if (!nat.af && ! $7->host->ifindex) nat.af = $7->host->af; @@ -2307,6 +2312,9 @@ binatrule : no BINAT interface af proto FROM host TO ipspec redirection binat.proto = $5->proto; free($5); } + if ($7 != NULL && disallow_table($7, "invalid use of " + "table <%s> as the source address of a binat rule")) + YYERROR; if ($7 != NULL && $9 != NULL && $7->af != $9->af) { yyerror("binat ip versions must match"); YYERROR; @@ -2470,6 +2478,10 @@ rdrrule : no RDR interface af proto FROM ipspec TO ipspec dport "address'"); YYERROR; } + if (disallow_table($11->host, "invalid use of " + "table <%s> as the redirection address " + "of a rdr rule")) + YYERROR; if (!rdr.af && !$11->host->ifindex) rdr.af = $11->host->af; @@ -2563,6 +2575,9 @@ route_host : STRING { $$->ifname); YYERROR; } + if (disallow_table($3, "invalid use of table <%s> in " + "a route expression")) + YYERROR; } ; @@ -2674,6 +2689,17 @@ yyerror(char *fmt, ...) } int +disallow_table(struct node_host *h, char *fmt) +{ + for (; h != NULL; h = h->next) + if (h->addr.type == PF_ADDR_TABLE) { + yyerror(fmt, h->addr.v.tblname); + return (1); + } + return (0); +} + +int rule_consistent(struct pf_rule *r) { int problems = 0; |