Date: Mon, 7 Jul 2025 15:08:03 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: ea0ca279edc2 - main - pfctl: Fix table definition parsing as unprivileged user Message-ID: <202507071508.567F83nE016890@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=ea0ca279edc2683e79a203df22b7ac02cfd48e39 commit ea0ca279edc2683e79a203df22b7ac02cfd48e39 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-07-02 15:07:23 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-07-07 15:06:51 +0000 pfctl: Fix table definition parsing as unprivileged user revision 1.689 introduced warn_duplicate_tables() unconditionally, breaking the parser on tables withs insufficient permissions to open pf(4): $ echo 'table <t>' | pfctl -nf- pfctl: pfr_get_tables: Bad file descriptor So simply check whether pfctl is able to get the table list first. If not, instead of silently avoiding namespace collision checks, print a brief notice iff `-v' is given to help finding duplicate definitions by hand: $ echo 'table <t>' | ./obj/pfctl -vnf- table <t> stdin:1: skipping duplicate table checks for <t> Reported by Rivo Nurges, thanks! OK benno sashan Obtained from: OpenBSD, kn <kn@openbsd.org>, 4650ad2af4 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/parse.y | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index ca3ca28475d7..d465599e1738 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -5434,7 +5434,12 @@ process_tabledef(char *name, struct table_opts *opts, int popts) if (pf->opts & PF_OPT_VERBOSE) print_tabledef(name, opts->flags, opts->init_addr, &opts->init_nodes); - warn_duplicate_tables(name, pf->anchor->path); + if (!(pf->opts & PF_OPT_NOACTION) || + (pf->opts & PF_OPT_DUMMYACTION)) + warn_duplicate_tables(name, pf->anchor->path); + else if (pf->opts & PF_OPT_VERBOSE) + fprintf(stderr, "%s:%d: skipping duplicate table checks" + " for <%s>\n", file->name, yylval.lineno, name); if (!(pf->opts & PF_OPT_NOACTION) && pfctl_define_table(name, opts->flags, opts->init_addr, pf->anchor->path, &ab, pf->anchor->ruleset.tticket)) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507071508.567F83nE016890>