manpage documents that af-to does not work on pass out rules, but the
pf.conf parser allows it, which leads a non working configuration being
loaded.
this changes the parser to make pass out .. af-to an error.
ok?
diff --git sbin/pfctl/parse.y sbin/pfctl/parse.y
index 934438c..0fecba8 100644
--- sbin/pfctl/parse.y
+++ sbin/pfctl/parse.y
@@ -1518,6 +1518,9 @@ pfrule : action dir logquick interface af
proto fromto
}
if ($8.marker & FOM_AFTO)
r.rule_flag |= PFRULE_AFTO;
+ if ($8.marker & FOM_AFTO && r.direction == PF_OUT)
+ yyerror("af-to not possible with direction
out");
+ YYERROR;
r.af = $5;
if ($8.tag)
