pfctl: deny "once" flags for match rules

ok henning

Obtained from:	OpenBSD, mikeb <mikeb@openbsd.org>, 47068a62ee
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2025-08-27 16:00:38 +02:00
parent b7ff11b380
commit d3b73a944b
+7 -1
View File
@@ -2396,8 +2396,14 @@ pfrule : action dir logquick interface route af proto fromto
r.quick = $3.quick;
r.af = $6;
if ($9.marker & FOM_ONCE)
if ($9.marker & FOM_ONCE) {
if (r.action == PF_MATCH) {
yyerror("can't specify once for "
"match rules");
YYERROR;
}
r.rule_flag |= PFRULE_ONCE;
}
if (filteropts_to_rule(&r, &$9))
YYERROR;