Hi,
This issue was reported to FreeBSD by Franco Fichtner
<fra...@opnsense.org> and is relevant to OpenBSD as well.
The POM_STICKYADDRESS flag is only ever set in pool_opts, but was
checked in filter_opts. That’s clearly not intended.
The parser tries to prevent "sticky-address sticky-address" syntax but
was actually cross-rule enforcing that ICMP filter cannot be before the
use of "sticky-address" in next rule.
E.g.
pass inet proto icmp icmp-type {unreach}
pass in route-to (if0 127.0.0.1/8) sticky-address inet
patch:
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 8a92a7e895c..ab8222f9e95 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -3684,7 +3684,7 @@ pool_opt : BITMASK {
pool_opts.staticport = 1;
}
| STICKYADDRESS {
- if (filter_opts.marker & POM_STICKYADDRESS) {
+ if (pool_opts.marker & POM_STICKYADDRESS) {
yyerror("sticky-address cannot be
redefined");
YYERROR;
}
Kristof
