git: 0a376f7e7e03 - main - pfctl: route-to, dup-to, reply-to should not override the block action

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 09 Apr 2025 19:30:44 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=0a376f7e7e0346654a74f2acf693187736c983a2

commit 0a376f7e7e0346654a74f2acf693187736c983a2
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-09 14:33:29 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-09 19:30:17 +0000

    pfctl: route-to, dup-to, reply-to should not override the block action
    
    Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>
    
    ok jung@, ok mikeb@
    
    Add a pfctl test case to ensure this doesn't regress.
    
    Obtained from:  OpenBSD, sashan <sashan@openbsd.org>, 1ae008c822
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y                   | 14 ++++++++++++--
 sbin/pfctl/tests/files/pf1067.fail   |  1 +
 sbin/pfctl/tests/files/pf1067.in     |  1 +
 sbin/pfctl/tests/pfctl_test_list.inc |  1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 8c01da9e6220..6b85c1b36303 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -5362,8 +5362,9 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
 			problems++;
 		}
 	}
-	/* match rules rules */
-	if (r->action == PF_MATCH) {
+	/* Basic rule sanity check. */
+	switch (r->action) {
+	case PF_MATCH:
 		if (r->divert.port) {
 			yyerror("divert is not supported on match rules");
 			problems++;
@@ -5377,6 +5378,15 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
 			yyerror("af-to is not supported on match rules");
 			problems++;
 		}
+		break;
+	case PF_DROP:
+		if (r->rt) {
+			yyerror("route-to, reply-to and dup-to "
+			    "are not supported on block rules");
+			problems++;
+		}
+		break;
+	default:;
 	}
 	if (r->rdr.opts & PF_POOL_STICKYADDR && !r->keep_state) {
 		yyerror("'sticky-address' requires 'keep state'");
diff --git a/sbin/pfctl/tests/files/pf1067.fail b/sbin/pfctl/tests/files/pf1067.fail
new file mode 100644
index 000000000000..23ac1daad64f
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1067.fail
@@ -0,0 +1 @@
+route-to, reply-to and dup-to are not supported on block rules
diff --git a/sbin/pfctl/tests/files/pf1067.in b/sbin/pfctl/tests/files/pf1067.in
new file mode 100644
index 000000000000..47f3bf6285dd
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1067.in
@@ -0,0 +1 @@
+block in route-to (if0 127.0.0.1/8)
diff --git a/sbin/pfctl/tests/pfctl_test_list.inc b/sbin/pfctl/tests/pfctl_test_list.inc
index 6a8d76390bd6..7e43556d2c4d 100644
--- a/sbin/pfctl/tests/pfctl_test_list.inc
+++ b/sbin/pfctl/tests/pfctl_test_list.inc
@@ -175,3 +175,4 @@ PFCTL_TEST_IFACE(1063, "Interface translation: IPv6 rule, interface with bracket
 PFCTL_TEST_IFACE(1064, "Interface translation: IPv6 rule, interface with brackets is not translated, extra host, round robin is applied")
 PFCTL_TEST(1065, "no nat")
 PFCTL_TEST(1066, "no rdr")
+PFCTL_TEST_FAIL(1067, "route-to can't be used on block rules")