From nobody Sun Mar 22 06:02:35 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fdm1770yTz6W1wb for ; Sun, 22 Mar 2026 06:02:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fdm176M5jz3PcD for ; Sun, 22 Mar 2026 06:02:35 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774159355; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8+NcU/huMLpx2NojrBcR2jUEZM9X6rnXc73YyU3c8Ac=; b=uh3WBjB4lD3+T9m9JtOPjghJOX2fbuzBeOBQPAueWdoVqi5KUWiJUByGOYvJAE2NSJUzRa 6uZusMblzie790w4+nJBLVmdlCIBeBEffsx98+gQnG2nB/MvgLMItju0Ofp6esP+FPeRPh XDh8Xi0//lzxyFzy9xLJ4SDAcN+aNxSVdrF4OWWM5v+WX2dGM4gCBqsaK3/5dq5mZBgWRx D69GFjghcbcB3e/0+NqdrL4dZ7JNJNo9fhCSDO6Zvu6aw/olFs3bUPek6Nxuq8H9jpkdf3 WjnZihJGmcmYU/BipTqghUgdkPFDgCkEwLNExQCVPdhZsYAl54GE9pRms/ntVQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774159355; a=rsa-sha256; cv=none; b=yTJ3krrq2enPX/mnQK/oxz5YTVCEM+pAF29dKDhHEdOhgPyn8U3J9+jLUH7bvEzN7MvsSN Yfh8ml0qfcf1v6qHi8JkvoeuT4t7Ev+4zHVvCY8Ue1+/pcuz8UZgRHCpNGusmZifBfUWAs oWuHfu3nNYzq+e7hRM5RZte1k37KZxgbclYVZ40nMyQQHI+16ecsJ2DRqP1fWDeY5YjnqD LlavwgUIWdttVQaA5D9WMm8g6e9nhoN6m8URVOuOPr53pIMsYvXuBHmp6j0wGUMsfU7RXF Es/W/QQ/k7/SmnQqnyAPZCfgUMC1nL4dxAlt4ptqGGEEYrCw07Ody/6yP5f1/A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774159355; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8+NcU/huMLpx2NojrBcR2jUEZM9X6rnXc73YyU3c8Ac=; b=U2aiZGD4Wqf7+qEJjTasBNrfqiuepg2qiIQD1qc8sZ1m5CLu286t4CZafit8aZMMl1V/QJ G1nmFYcwnx/IkHzDlKSChnUpLpX6wWE6MzHzKvcPlfxvT8OkNoFKmE6ZIIT4lf6qTvj8ab stMa1Qm9TWUdx60YaiuE8GnDwI/RP9tUQz4NT1Stu4dCEsYLiP+cRp0JVHBAdKjluW/xYu kKZzRfXQpHPFB94J6lyCOy/p8QrRI6Y020Sko1iYyaeCpq3ASRi4qQAyqChKvD7H6MfxQ8 M0gToVNqF+GaTr+cryeKknrBLoUFi5YOhNsXDn12AgutXrS7z/HiuMMKimVeNQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fdm175ygsznDb for ; Sun, 22 Mar 2026 06:02:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 346cc by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 22 Mar 2026 06:02:35 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 343ace42f82a - main - pfctl: parser must not ignore error from pfctl_optimize_ruleset() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 343ace42f82a629374af4dc3a72da5f46f2c3feb Auto-Submitted: auto-generated Date: Sun, 22 Mar 2026 06:02:35 +0000 Message-Id: <69bf85fb.346cc.3b4247b8@gitrepo.freebsd.org> The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=343ace42f82a629374af4dc3a72da5f46f2c3feb commit 343ace42f82a629374af4dc3a72da5f46f2c3feb Author: Kristof Provost AuthorDate: 2026-03-22 02:50:47 +0000 Commit: Kristof Provost CommitDate: 2026-03-22 03:47:37 +0000 pfctl: parser must not ignore error from pfctl_optimize_ruleset() Ignoring the error may cause pfctl(8) to load inconsistent ruleset preventing pf(4) to enforce desired policy. Issue reported and fix suggested by berts _from_ fastmail _dot_ com 'Looks good.' @deraadt MFC after: 1 week Obtained from: OpenBSD, sashan , 9fd28a8cca Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 87343f762842..5a4668416b5b 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -2513,8 +2513,9 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs, printf("\n"); } - if (pf->optimize && rs_num == PF_RULESET_FILTER) - pfctl_optimize_ruleset(pf, rs); + if (pf->optimize && rs_num == PF_RULESET_FILTER && + (error = pfctl_optimize_ruleset(pf, rs)) != 0) + goto error; while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) { TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);