From 47068a62eebdbf99e67c0932dddfa4c144b5d225 Mon Sep 17 00:00:00 2001
From: mikeb <mikeb@openbsd.org>
Date: Thu, 21 Aug 2014 15:09:27 +0000
Subject: [PATCH] deny "once" flags for match rules;  ok henning

---
 sbin/pfctl/parse.y | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 93d82a57377..a6eab7ab1a2 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.636 2014/07/02 13:03:41 mikeb Exp $	*/
+/*	$OpenBSD: parse.y,v 1.637 2014/08/21 15:09:27 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -1490,8 +1490,14 @@ pfrule		: action dir logquick interface af proto fromto
 				r.set_prio[1] = $8.set_prio[1];
 				r.scrub_flags |= PFSTATE_SETPRIO;
 			}
-			if ($8.marker & FOM_ONCE)
+			if ($8.marker & FOM_ONCE) {
+				if (r.action == PF_MATCH) {
+					yyerror("can't specify once for "
+					    "match rules");
+					YYERROR;
+				}
 				r.rule_flag |= PFRULE_ONCE;
+			}
 			if ($8.marker & FOM_AFTO)
 				r.rule_flag |= PFRULE_AFTO;
 			r.af = $5;
-- 
2.20.1