Mike Belopuhov(m...@belopuhov.com) on 2016.06.20 00:01:28 +0200:
> On Sun, Jun 19, 2016 at 23:43 +0200, Sebastian Benoit wrote:
> > manpage documents that af-to does not work on pass out rules, but the
> > pf.conf parser allows it, which leads a non working configuration being
> > loaded.
> >
> > this changes the parser to make pass out .. af-to an error.
> >
>
> what happens if the direction is not specified?
this works better i hope.
diff --git sbin/pfctl/parse.y sbin/pfctl/parse.y
index 934438c..c491b8e 100644
--- sbin/pfctl/parse.y
+++ sbin/pfctl/parse.y
@@ -1518,6 +1518,9 @@ pfrule : action dir logquick interface af
proto fromto
}
if ($8.marker & FOM_AFTO)
r.rule_flag |= PFRULE_AFTO;
+ if ($8.marker & FOM_AFTO && r.direction != PF_IN)
+ yyerror("af-to can only be used with direction
in");
+ YYERROR;
r.af = $5;
if ($8.tag)
