On Tue, Aug 12, 2014 at 18:26 +0200, Mike Belopuhov wrote:
> On Tue, Jul 22, 2014 at 19:03 +0200, Mike Belopuhov wrote:
> > Hi,
> >
> > Before I send a diff for pfctl to disable "once" on "match" rules,
> > I've decided to try and see how much work is it to make it actually
> > work. Turns out that I need to extend pf_rule_item by 3 pointers
> > to track the match rule ruleset, anchor rule and the ruleset it
> > belongs to.
> >
> > Here's what this means in practice. Consider a ruleset:
> >
> > block drop all
> > match out log proto tcp to port 22 once
> > anchor "foo" all {
> > match out log proto tcp to port 22 once
> > anchor "bar" all {
> > match out log proto tcp to port 22 once
> > pass out quick proto tcp to port 22 once
> > }
> > }
> >
> > Once we send a packet to port 22 the ruleset collapses to just:
> >
> > block drop all
> >
> > Thoughts?
>
> Henning thinks it's a bit of an overkill. Any other opinions?
>
here we go then. OK?
diff --git sbin/pfctl/parse.y sbin/pfctl/parse.y
index c277b8d..61c2646 100644
--- sbin/pfctl/parse.y
+++ sbin/pfctl/parse.y
@@ -1488,12 +1488,18 @@ pfrule : action dir logquick interface af
proto fromto
if ($8.marker & FOM_SETPRIO) {
r.set_prio[0] = $8.set_prio[0];
r.set_prio[1] = $8.set_prio[1];
r.scrub_flags |= PFSTATE_SETPRIO;
}
- if ($8.marker & FOM_ONCE)
+ if ($8.marker & FOM_ONCE) {
+ if (r.action == PF_MATCH) {
+ yyerror("can't specify once for "
+ "match rules");
+ YYERROR;
+ }
r.rule_flag |= PFRULE_ONCE;
+ }
if ($8.marker & FOM_AFTO)
r.rule_flag |= PFRULE_AFTO;
r.af = $5;
if ($8.tag)
