From nobody Tue Apr 28 22:20:30 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g4vyV34Slz6cB40;
	Tue, 28 Apr 2026 22:20:34 +0000 (UTC)
	(envelope-from bz@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g4vyV2JGRz3XY2;
	Tue, 28 Apr 2026 22:20:34 +0000 (UTC)
	(envelope-from bz@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1777414834;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=OIZxNPW1MA3Nq1yBOjMKpYwejwRdukL/6kuxAISEHao=;
	b=LHenBHpg6uNWmM6sEF99cXGCawZWF8GgP5YMikW5+7IEH3SJ5q5hXGvy6T7piY2ipA+XD5
	4OkFQSGHPSOYoGO2MzRo5IXN1aapPSt+jbUO05F/5UXRMIRC08pY6U9+cybEESbBC5n43O
	1thoSybL2e4Sa3TzDIaqz9V9o5QMJ2mNehOUaqTZFP3WzuljldYBkD2Vn5eH7xWphj1MVZ
	J8JLhXVrZUlwW9rN5p3tS91Mrf13GyzxKM4qPQn8rtU+RqU3PCmAYcjaD7OyK56WtQdsYq
	TuRXMe/D/e2B1zH0lmBGWfho30koEIHYa1p80FdEr7GWhdQUCV0Y0beCNKRx0g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777414834; a=rsa-sha256; cv=none;
	b=o+uuVl8hXMfaxhNKfW+734M7zPAQz9sDhnaudcrAT0+Z64AUQu/Lf5GEOJersBlXV1eTwU
	HMdJJAxe6zA5ujS+xEOfVJfAcNjmVnwuo5wXNvnvWSaR99e0BFxvCaU05BLRzg/gjM3+mU
	s+iTrM/bKNH0E4shnPP85QH3bb0TyKgyoSGXpiVmNNdnXP8h8D3xjGPbAg/Ewxg9on3LkP
	RcxdOkzN1iNx9cqZPkeEciP6f+9bhbLXXnYqBUC6j9wGibDpRJ5zRSbhXVtY9EoRChxUGj
	fwCQoa0CHVM7c3tpVkB041i5s70krsRv8sBsvhM6Oe4MrDpe59OnIoVR4pOP7A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1777414834;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=OIZxNPW1MA3Nq1yBOjMKpYwejwRdukL/6kuxAISEHao=;
	b=mG07rb08eWeptRtGRfrnt6gDyxT3gPMl8XjTOa2Vt7i7Hz1K6xepwvKddPbJucitCTLWs9
	O7fO51XK6siOGrweikCWmZ87QBgkuDVMxh7OWlKpT8RZFad/DSlK2yl2x7uVD/gaxUyUHB
	MIZ40TW4+p+OVqifh2hcfKiJZP+96MgqFeJiZMRCQz2W6IunhO0L+dHdNEEyTa6sJho3SK
	qYXbrz0KcsAwNIs4l5sse4/o3oE7WKlfGHXEZSiuDz/tZKwtgPzfNc80B6PCWrdbUTRXIZ
	EJiHkAjPQv7eeTv2NS8Ek8up9CvPuJvbWD0Z19J0W4+QLaxAkHEvLcuibXceNw==
Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (prime256v1) client-digest SHA256)
	(Client CN "mx-01.divo.sbone.de", Issuer "E7" (not verified))
	(Authenticated sender: bz/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4g4vyV0206zp2p;
	Tue, 28 Apr 2026 22:20:33 +0000 (UTC)
	(envelope-from bz@FreeBSD.org)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by mx-01.divo.sbone.de (Postfix) with ESMTPS id 59542A64805;
	Tue, 28 Apr 2026 22:20:09 +0000 (UTC)
Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPS id 246A92D029E9;
	Tue, 28 Apr 2026 22:20:32 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024)
	with ESMTP id j-Zluc0cUXJU; Tue, 28 Apr 2026 22:20:31 +0000 (UTC)
Received: from nv.t4-02.sbone.de (nv.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:22])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPSA id 07AB32D029D8;
	Tue, 28 Apr 2026 22:20:31 +0000 (UTC)
Date: Tue, 28 Apr 2026 22:20:30 +0000 (UTC)
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Kristof Provost <kp@FreeBSD.org>
cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, 
    dev-commits-src-branches@FreeBSD.org
Subject: Re: git: 47c12f20bf58 - stable/15 - pf: only allow a subset of
 netlink calls when securelevel is set
In-Reply-To: <69f0dab6.44d59.7949e6e5@gitrepo.freebsd.org>
Message-ID: <7rsqr33-s25s-64q4-o8nn-81sn61p9s77r@mnoonqbm.arg>
References: <69f0dab6.44d59.7949e6e5@gitrepo.freebsd.org>
X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

On Tue, 28 Apr 2026, Kristof Provost wrote:

> The branch stable/15 has been updated by kp:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=47c12f20bf58b69e7ab1707e6e705907ad0d277e
>
> commit 47c12f20bf58b69e7ab1707e6e705907ad0d277e
> Author:     Kristof Provost <kp@FreeBSD.org>
> AuthorDate: 2026-04-20 06:36:17 +0000
> Commit:     Kristof Provost <kp@FreeBSD.org>
> CommitDate: 2026-04-28 15:33:57 +0000
>
>    pf: only allow a subset of netlink calls when securelevel is set


This seems to have broken LINT-NOVIMAGE on stable/15.

sys/netlink/netlink_generic.c:154:6: error: call to undeclared function 'securelevel_ge'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]


>    Extend the genl_cmd struct to allow calls to also carry a securelevel.
>    If that's set compare the current securelevel to only allow the call if
>    the level is lower than that.
>
>    If no value is specified continue to allow calls in any securelevel,
>    as before.
>
>    This allows us to easily implement the same securelevel restrictions for
>    pf as we have for the corresponding ioctls.
>
>    Reviewed by:    glebius
>    MFC after:      1 week
>    Sponsored by:   Rubicon Communications, LLC ("Netgate")
>    Differential Revision:  https://reviews.freebsd.org/D56390
>
>    (cherry picked from commit 9933bdcb12641839b7396ccd0c6b8a2d55d12744)

-- 
Bjoern A. Zeeb                                                     r15:7