On Sun, Jun 19, 2016 at 23:43 +0200, Sebastian Benoit wrote:
> manpage documents that af-to does not work on pass out rules, but the
> pf.conf parser allows it, which leads a non working configuration being
> loaded.
>
> this changes the parser to make pass out .. af-to an error.
>
what happens if the direction is not specified?
> ok?
>
i'm not a native speaker but there should be a verb somewhere :-)
how about "af-to can only be applied to inbound rules"?
> diff --git sbin/pfctl/parse.y sbin/pfctl/parse.y
> index 934438c..0fecba8 100644
> --- sbin/pfctl/parse.y
> +++ sbin/pfctl/parse.y
> @@ -1518,6 +1518,9 @@ pfrule : action dir logquick interface af
> proto fromto
> }
> if ($8.marker & FOM_AFTO)
> r.rule_flag |= PFRULE_AFTO;
> + if ($8.marker & FOM_AFTO && r.direction == PF_OUT)
> + yyerror("af-to not possible with direction
> out");
> + YYERROR;
> r.af = $5;
>
> if ($8.tag)
