git: d3b73a944b11 - main - pfctl: deny "once" flags for match rules
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 25 Sep 2025 12:41:37 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=d3b73a944b11311b8428f30b019802ebe7aeaef8
commit d3b73a944b11311b8428f30b019802ebe7aeaef8
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-27 14:00:38 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-25 12:41:08 +0000
pfctl: deny "once" flags for match rules
ok henning
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 47068a62ee
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/parse.y | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index c35460f5443d..c8c6f6047fa5 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -2396,8 +2396,14 @@ pfrule : action dir logquick interface route af proto fromto
r.quick = $3.quick;
r.af = $6;
- if ($9.marker & FOM_ONCE)
+ if ($9.marker & FOM_ONCE) {
+ if (r.action == PF_MATCH) {
+ yyerror("can't specify once for "
+ "match rules");
+ YYERROR;
+ }
r.rule_flag |= PFRULE_ONCE;
+ }
if (filteropts_to_rule(&r, &$9))
YYERROR;