diff options
| author |   mikeb <mikeb@openbsd.org> | 2014-08-21 15:09:27 +0000 |
|---|---|---|
| committer | mikeb <mikeb@openbsd.org> | 2014-08-21 15:09:27 +0000 |
| commit | 47068a62eebdbf99e67c0932dddfa4c144b5d225 (patch) | |
| tree | f84d4c64d9ea146041f02902f30e3c337a4bf718 | |
| parent | Now that DVACT_DEACTIVATE is propagated to the children of a device when (diff) | |
| download | wireguard-openbsd-47068a62eebdbf99e67c0932dddfa4c144b5d225.tar.xz wireguard-openbsd-47068a62eebdbf99e67c0932dddfa4c144b5d225.zip | |
deny "once" flags for match rules; ok henning
| -rw-r--r-- | sbin/pfctl/parse.y | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 93d82a57377..a6eab7ab1a2 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.636 2014/07/02 13:03:41 mikeb Exp $ */ +/* $OpenBSD: parse.y,v 1.637 2014/08/21 15:09:27 mikeb Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -1490,8 +1490,14 @@ pfrule : action dir logquick interface af proto fromto r.set_prio[1] = $8.set_prio[1]; r.scrub_flags |= PFSTATE_SETPRIO; } - if ($8.marker & FOM_ONCE) + if ($8.marker & FOM_ONCE) { + if (r.action == PF_MATCH) { + yyerror("can't specify once for " + "match rules"); + YYERROR; + } r.rule_flag |= PFRULE_ONCE; + } if ($8.marker & FOM_AFTO) r.rule_flag |= PFRULE_AFTO; r.af = $5; |