This diff ensures that PF one shot rules can only be used inside anchors
and not in the main ruleset.
OK?
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.624
diff -u -p -u -p -r1.624 parse.y
--- sbin/pfctl/parse.y 1 Aug 2013 19:03:11 -0000 1.624
+++ sbin/pfctl/parse.y 20 Aug 2013 01:54:10 -0000
@@ -1703,8 +1703,14 @@ pfrule : action dir logquick interface
r.set_prio[1] = $8.set_prio[1];
r.scrub_flags |= PFSTATE_SETPRIO;
}
- if ($8.marker & FOM_ONCE)
+ if ($8.marker & FOM_ONCE) {
+ if (pf->asd == 0) {
+ yyerror("'once' can only be used "
+ "inside anchors\n");
+ YYERROR;
+ }
r.rule_flag |= PFRULE_ONCE;
+ }
if ($8.marker & FOM_AFTO)
r.rule_flag |= PFRULE_AFTO;
r.af = $5;
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.527
diff -u -p -u -p -r1.527 pf.conf.5
--- share/man/man5/pf.conf.5 25 Apr 2013 16:53:11 -0000 1.527
+++ share/man/man5/pf.conf.5 18 Aug 2013 19:13:23 -0000
@@ -611,6 +611,7 @@ directive occurs only at configuration f
.It Ar once
Creates a one shot rule that will remove itself from an active ruleset after
the first match.
+This parameter can only be used in an anchor.
In case this is the only rule in the anchor, the anchor will be destroyed
automatically after the rule is matched.
.Pp
