From 7532c769a6e3d6582624b797278f8a4ed8ab7470 Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@slot.vk.crocodile.org>
Date: Sat, 5 Feb 2011 20:23:39 -0800
Subject: [PATCH] see #2038 pfctl error when firewall settings include scrub
 option for reassembly

---
 doc/ChangeLog                   |  9 ++++++++-
 src/pflib/CompilerDriver_pf.cpp | 24 ++++++++++++++++++++----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 106acdcac..6c6d8c9b7 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,10 +1,17 @@
+2011-02-05  vadim  <vadim@netcitadel.com>
+
+	* CompilerDriver_pf.cpp (printStaticOptions): fixes #2038 "pfctl
+	error when firewall settings include scrub option for reassembly".
+	Command "scrub all reassemble tcp" does not allow direction.
+	Tested and verified on OpenBSD 4.2 and FreeBSD 8.1
+
 2011-02-04  vadim  <vadim@netcitadel.com>
 
 	* freebsdInterfaces.cpp (manageIpAddresses): fixes #2032 "support
 	for DHCP interfaces in rc.conf mode". Include dynamic interfaces
 	inin the list of interfaces generated script manages when the
 	script is in rc.conf format. This addds lines similar to
-	'ifconfig_em0="DHCP"'. 
+	'ifconfig_em0="DHCP"'.
 
 2011-02-03  vadim  <vadim@netcitadel.com>
 
diff --git a/src/pflib/CompilerDriver_pf.cpp b/src/pflib/CompilerDriver_pf.cpp
index 1dcc6761a..68e5941c4 100644
--- a/src/pflib/CompilerDriver_pf.cpp
+++ b/src/pflib/CompilerDriver_pf.cpp
@@ -293,6 +293,8 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
 
     QStringList scrub_options;
 
+    string scrub_rule_direction = "in ";
+
     if (options->getBool("pf_do_scrub"))
     {
         if (XMLTools::version_compare(fw->getStr("version"), "4.6")<0)
@@ -305,7 +307,11 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
                 scrub_options << "fragment drop-ovl";
         }
         if (options->getBool("pf_scrub_reassemble_tcp"))
+        {
+            // "scrub all reassemble tcp" - does not allow direction
             scrub_options << "reassemble tcp";
+            scrub_rule_direction = "";
+        }
     }
 
     if (options->getBool("pf_scrub_no_df"))  scrub_options << "no-df ";
@@ -318,10 +324,18 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
 
         if (XMLTools::version_compare(fw->getStr("version"), "4.6")>=0)
         {
-            file << "match in all scrub (" << scrub_options.join(" ").toStdString() << ")" << endl;
+            file << "match "
+                 << scrub_rule_direction
+                 << "all scrub ("
+                 << scrub_options.join(" ").toStdString() << ")"
+                 << endl;
         } else
         {
-            file << "scrub in all " << scrub_options.join(" ").toStdString() << endl;
+            file << "scrub "
+                 << scrub_rule_direction
+                 << "all "
+                 << scrub_options.join(" ").toStdString()
+                 << endl;
         }
     }
 
@@ -340,10 +354,12 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
     {
         if (XMLTools::version_compare(fw->getStr("version"), "4.6")>=0)
         {
-            file << "match out all scrub (" << scrub_options.join(" ").toStdString() << ")" << endl;
+            file << "match out all scrub ("
+                 << scrub_options.join(" ").toStdString() << ")" << endl;
         } else
         {
-            file << "scrub out all " << scrub_options.join(" ").toStdString() << endl;
+            file << "scrub out all "
+                 << scrub_options.join(" ").toStdString() << endl;
         }
     }