From nobody Tue Apr 28 16:05:07 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g4ldH504Nz6bhXn for ; Tue, 28 Apr 2026 16:05:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g4ldH47HZz3Q7G for ; Tue, 28 Apr 2026 16:05:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777392307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XIkwIM2MdMPsuCf/hfaFJTnhhdd1rUTzOoJIc0lOR8s=; b=SrzEeR71O+UrQ+FfnqtDDmsafMC/vsRv2/dUVxPgtZWggncswzzCNQlX5mg/ME9D/qaFvi Bv5A7QYh3bKs8405u6M5YX/FkkZTw+hauL169W4o/MaQf0ITnl3nqtN6qLuxsJg/2y1+do pVNrjzLRpVQXfxRPC5w8k+7PKXPL94YU8rzV/CKUQuNJ5+YxsXHvpG13bagSGNMOGgvCkE 1D/iSwaUObMm7tNRDGzlNmTI5lwvSFp1rwLrzaif/DmD2WiL2imwYfb7NjUaqFE+RJ3zd5 GGXlKR1vx2+puYskrTGvay4LQt+lE4gEIbdcPsvDwKfbUqgmpZQbd7u7NXYbtw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777392307; a=rsa-sha256; cv=none; b=wqzsaojaKiRkRDMSCr2EX838kN5WLwmDvsgADF33IqS3vVe1pRy+YG3Boq8t96k1DSge5/ sx/GL2SowOtZHkLR0Y4v5+CLEmTbqrROSnF5ubOtY+2UPhJbKeXk3sYG8h5SPeU62baxX+ ZSd6yde8z6PiNxY7Ht8XqY9BfVnY2oP9FKQlxjeDpd8nMpHVo6KPABJBa/jmlYAtjl0zZV b/DmOcNhM1RidX5vFA91XTiH47YMXdV5KhLz2fMQMh+Q1CDWJukvxtuE3UnKBBBJyVHCb9 cvU20XAsvpxX7rzyMYFg77AZy83VO5UhKXtjReax6CTAxw4BCI0GbkO0m1c1UQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777392307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XIkwIM2MdMPsuCf/hfaFJTnhhdd1rUTzOoJIc0lOR8s=; b=v+9d4tYbaYKNIgKLDJw+9BJhdBNz7YEckLSN8XydAogaXP5LjWwdBJudLIJwVMFdYn4HFn O1Yoh0kG1O5V2fjgc0FeG1ReWm/rTi/j8wypg8iLAKHcZXjngwZU86qO9o1mEocmYWPD33 0BJg4SmVxecYM0t+0dq5C6eJy7l0CZt2zWagmK//BTcv9mAbgC7iWIEh8+qCTqFJrkhBpd Up2K3TaPzGR19gU7fZ2nXQKfwrGDZ/IDcsQMGpd6n3rWT7qsva3m+xNFQ2yhcY0BkkoE6e 3/sVIFtCSY2A/Uq6I4qIrPqDMXmqStxJoxfqScIc0g2VPMfHtwfj0y8gBKEJyA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g4ldH3kPlz11Ny for ; Tue, 28 Apr 2026 16:05:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 44d55 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 28 Apr 2026 16:05:07 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: afbda5806304 - stable/14 - pf: do not allow flags to be changed with securelevel set List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: afbda58063048e2ddc47f7fc6fcc34718ccd7dbf Auto-Submitted: auto-generated Date: Tue, 28 Apr 2026 16:05:07 +0000 Message-Id: <69f0dab3.44d55.676cc1b2@gitrepo.freebsd.org> The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=afbda58063048e2ddc47f7fc6fcc34718ccd7dbf commit afbda58063048e2ddc47f7fc6fcc34718ccd7dbf Author: Kristof Provost AuthorDate: 2026-04-13 13:48:39 +0000 Commit: Kristof Provost CommitDate: 2026-04-28 16:04:49 +0000 pf: do not allow flags to be changed with securelevel set With securelevel set (for pf that means >= 3) we're expected to reject rule changes. However, we allowed interface flags to be changed, which would allow 'set skip on X' to be changed. Remove DIOCSETIFFLAG and DIOCCLRIFFLAG from the securelevel whitelist. MFC after: 1 week Reported by: cyberkittens Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit d5ca00f2d8743f0885c17f50c8c011cae285fbdb) --- sys/netpfil/pf/pf_ioctl.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 5617207d28f9..e824dfcff453 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2598,8 +2598,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td case DIOCIGETIFACES: case DIOCGIFSPEEDV0: case DIOCGIFSPEEDV1: - case DIOCSETIFFLAG: - case DIOCCLRIFFLAG: case DIOCGETETHRULES: case DIOCGETETHRULE: case DIOCGETETHRULESETS: