Date: Sun, 22 Mar 2026 06:02:35 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 343ace42f82a - main - pfctl: parser must not ignore error from pfctl_optimize_ruleset() Message-ID: <69bf85fb.346cc.3b4247b8@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=343ace42f82a629374af4dc3a72da5f46f2c3feb commit 343ace42f82a629374af4dc3a72da5f46f2c3feb Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-03-22 02:50:47 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-03-22 03:47:37 +0000 pfctl: parser must not ignore error from pfctl_optimize_ruleset() Ignoring the error may cause pfctl(8) to load inconsistent ruleset preventing pf(4) to enforce desired policy. Issue reported and fix suggested by berts _from_ fastmail _dot_ com 'Looks good.' @deraadt MFC after: 1 week Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 9fd28a8cca Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 87343f762842..5a4668416b5b 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -2513,8 +2513,9 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs, printf("\n"); } - if (pf->optimize && rs_num == PF_RULESET_FILTER) - pfctl_optimize_ruleset(pf, rs); + if (pf->optimize && rs_num == PF_RULESET_FILTER && + (error = pfctl_optimize_ruleset(pf, rs)) != 0) + goto error; while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) { TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69bf85fb.346cc.3b4247b8>