diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2025-08-27 14:00:38 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2025-09-25 12:41:08 +0000 |
| commit | d3b73a944b11311b8428f30b019802ebe7aeaef8 (patch) | |
| tree | 3b490809a5854f79a3090171967eab06ea0399a2 | |
| parent | b7ff11b380bf6ffaa5181596766e2f21a1eec962 (diff) | |
pfctl: deny "once" flags for match rules
ok henning
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 47068a62ee
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sbin/pfctl/parse.y | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index c35460f5443d..c8c6f6047fa5 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -2396,8 +2396,14 @@ pfrule : action dir logquick interface route af proto fromto r.quick = $3.quick; r.af = $6; - if ($9.marker & FOM_ONCE) + if ($9.marker & FOM_ONCE) { + if (r.action == PF_MATCH) { + yyerror("can't specify once for " + "match rules"); + YYERROR; + } r.rule_flag |= PFRULE_ONCE; + } if (filteropts_to_rule(&r, &$9)) YYERROR; |