git: 0a376f7e7e03 - main - pfctl: route-to, dup-to, reply-to should not override the block action

Wed, 09 Apr 2025 12:34:19 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=0a376f7e7e0346654a74f2acf693187736c983a2

commit 0a376f7e7e0346654a74f2acf693187736c983a2
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-04-09 14:33:29 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-04-09 19:30:17 +0000

    pfctl: route-to, dup-to, reply-to should not override the block action
    
    Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>
    
    ok jung@, ok mikeb@
    
    Add a pfctl test case to ensure this doesn't regress.
    
    Obtained from:  OpenBSD, sashan <sas...@openbsd.org>, 1ae008c822
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y                   | 14 ++++++++++++--
 sbin/pfctl/tests/files/pf1067.fail   |  1 +
 sbin/pfctl/tests/files/pf1067.in     |  1 +
 sbin/pfctl/tests/pfctl_test_list.inc |  1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 8c01da9e6220..6b85c1b36303 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -5362,8 +5362,9 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
                        problems++;
                }
        }
-       /* match rules rules */
-       if (r->action == PF_MATCH) {
+       /* Basic rule sanity check. */
+       switch (r->action) {
+       case PF_MATCH:
                if (r->divert.port) {
                        yyerror("divert is not supported on match rules");
                        problems++;
@@ -5377,6 +5378,15 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
                        yyerror("af-to is not supported on match rules");
                        problems++;
                }
+               break;
+       case PF_DROP:
+               if (r->rt) {
+                       yyerror("route-to, reply-to and dup-to "
+                           "are not supported on block rules");
+                       problems++;
+               }
+               break;
+       default:;
        }
        if (r->rdr.opts & PF_POOL_STICKYADDR && !r->keep_state) {
                yyerror("'sticky-address' requires 'keep state'");
diff --git a/sbin/pfctl/tests/files/pf1067.fail 
b/sbin/pfctl/tests/files/pf1067.fail
new file mode 100644
index 000000000000..23ac1daad64f
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1067.fail
@@ -0,0 +1 @@
+route-to, reply-to and dup-to are not supported on block rules
diff --git a/sbin/pfctl/tests/files/pf1067.in b/sbin/pfctl/tests/files/pf1067.in
new file mode 100644
index 000000000000..47f3bf6285dd
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1067.in
@@ -0,0 +1 @@
+block in route-to (if0 127.0.0.1/8)
diff --git a/sbin/pfctl/tests/pfctl_test_list.inc 
b/sbin/pfctl/tests/pfctl_test_list.inc
index 6a8d76390bd6..7e43556d2c4d 100644
--- a/sbin/pfctl/tests/pfctl_test_list.inc
+++ b/sbin/pfctl/tests/pfctl_test_list.inc
@@ -175,3 +175,4 @@ PFCTL_TEST_IFACE(1063, "Interface translation: IPv6 rule, 
interface with bracket
 PFCTL_TEST_IFACE(1064, "Interface translation: IPv6 rule, interface with 
brackets is not translated, extra host, round robin is applied")
 PFCTL_TEST(1065, "no nat")
 PFCTL_TEST(1066, "no rdr")
+PFCTL_TEST_FAIL(1067, "route-to can't be used on block rules")

Reply via email to