Date: Tue, 21 Apr 2026 11:32:51 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: d5ca00f2d874 - main - pf: do not allow flags to be changed with securelevel set Message-ID: <69e76063.42e19.76af3a5f@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=d5ca00f2d8743f0885c17f50c8c011cae285fbdb commit d5ca00f2d8743f0885c17f50c8c011cae285fbdb Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-04-13 13:48:39 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-04-21 09:51:28 +0000 pf: do not allow flags to be changed with securelevel set With securelevel set (for pf that means >= 3) we're expected to reject rule changes. However, we allowed interface flags to be changed, which would allow 'set skip on X' to be changed. Remove DIOCSETIFFLAG and DIOCCLRIFFLAG from the securelevel whitelist. MFC after: 1 week Reported by: cyberkittens Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_ioctl.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 8b2ff108d9cb..586d896d0e2d 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -3899,8 +3899,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td case DIOCIGETIFACES: case DIOCGIFSPEEDV0: case DIOCGIFSPEEDV1: - case DIOCSETIFFLAG: - case DIOCCLRIFFLAG: case DIOCGETETHRULES: case DIOCGETETHRULE: case DIOCGETETHRULESETS:home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69e76063.42e19.76af3a5f>