see #2038 pfctl error when firewall settings include scrub option for reassembly

2026-03-20 10:17:16 +01:00 · 2011-02-05 20:23:39 -08:00 · 2011-02-05 20:23:39 -08:00 · 7532c769a6
commit 7532c769a6
parent 06f77e587c
2 changed files with 28 additions and 5 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,10 +1,17 @@
+2011-02-05  vadim  <vadim@netcitadel.com>
+
+	* CompilerDriver_pf.cpp (printStaticOptions): fixes #2038 "pfctl
+	error when firewall settings include scrub option for reassembly".
+	Command "scrub all reassemble tcp" does not allow direction.
+	Tested and verified on OpenBSD 4.2 and FreeBSD 8.1
+
 2011-02-04  vadim  <vadim@netcitadel.com>

 	* freebsdInterfaces.cpp (manageIpAddresses): fixes #2032 "support
 	for DHCP interfaces in rc.conf mode". Include dynamic interfaces
 	inin the list of interfaces generated script manages when the
 	script is in rc.conf format. This addds lines similar to
-	'ifconfig_em0="DHCP"'. 
+	'ifconfig_em0="DHCP"'.

 2011-02-03  vadim  <vadim@netcitadel.com>

--- a/src/pflib/CompilerDriver_pf.cpp
+++ b/src/pflib/CompilerDriver_pf.cpp
@ -293,6 +293,8 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)

    QStringList scrub_options;

+    string scrub_rule_direction = "in ";
+
    if (options->getBool("pf_do_scrub"))
    {
        if (XMLTools::version_compare(fw->getStr("version"), "4.6")<0)
@ -305,7 +307,11 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
                scrub_options << "fragment drop-ovl";
        }
        if (options->getBool("pf_scrub_reassemble_tcp"))
+        {
+            // "scrub all reassemble tcp" - does not allow direction
            scrub_options << "reassemble tcp";
+            scrub_rule_direction = "";
+        }
    }

    if (options->getBool("pf_scrub_no_df"))  scrub_options << "no-df ";
@ -318,10 +324,18 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)

        if (XMLTools::version_compare(fw->getStr("version"), "4.6")>=0)
        {
-            file << "match in all scrub (" << scrub_options.join(" ").toStdString() << ")" << endl;
+            file << "match "
+                 << scrub_rule_direction
+                 << "all scrub ("
+                 << scrub_options.join(" ").toStdString() << ")"
+                 << endl;
        } else
        {
-            file << "scrub in all " << scrub_options.join(" ").toStdString() << endl;
+            file << "scrub "
+                 << scrub_rule_direction
+                 << "all "
+                 << scrub_options.join(" ").toStdString()
+                 << endl;
        }
    }

@ -340,10 +354,12 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
    {
        if (XMLTools::version_compare(fw->getStr("version"), "4.6")>=0)
        {
-            file << "match out all scrub (" << scrub_options.join(" ").toStdString() << ")" << endl;
+            file << "match out all scrub ("
+                 << scrub_options.join(" ").toStdString() << ")" << endl;
        } else
        {
-            file << "scrub out all " << scrub_options.join(" ").toStdString() << endl;
+            file << "scrub out all "
+                 << scrub_options.join(" ").toStdString() << endl;
        }
    }