Date: Tue, 28 Apr 2026 22:20:30 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: Kristof Provost <kp@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: Re: git: 47c12f20bf58 - stable/15 - pf: only allow a subset of netlink calls when securelevel is set Message-ID: <7rsqr33-s25s-64q4-o8nn-81sn61p9s77r@mnoonqbm.arg> In-Reply-To: <69f0dab6.44d59.7949e6e5@gitrepo.freebsd.org>
index | next in thread | previous in thread | raw e-mail
On Tue, 28 Apr 2026, Kristof Provost wrote: > The branch stable/15 has been updated by kp: > > URL: https://cgit.FreeBSD.org/src/commit/?id=47c12f20bf58b69e7ab1707e6e705907ad0d277e > > commit 47c12f20bf58b69e7ab1707e6e705907ad0d277e > Author: Kristof Provost <kp@FreeBSD.org> > AuthorDate: 2026-04-20 06:36:17 +0000 > Commit: Kristof Provost <kp@FreeBSD.org> > CommitDate: 2026-04-28 15:33:57 +0000 > > pf: only allow a subset of netlink calls when securelevel is set This seems to have broken LINT-NOVIMAGE on stable/15. sys/netlink/netlink_generic.c:154:6: error: call to undeclared function 'securelevel_ge'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration] > Extend the genl_cmd struct to allow calls to also carry a securelevel. > If that's set compare the current securelevel to only allow the call if > the level is lower than that. > > If no value is specified continue to allow calls in any securelevel, > as before. > > This allows us to easily implement the same securelevel restrictions for > pf as we have for the corresponding ioctls. > > Reviewed by: glebius > MFC after: 1 week > Sponsored by: Rubicon Communications, LLC ("Netgate") > Differential Revision: https://reviews.freebsd.org/D56390 > > (cherry picked from commit 9933bdcb12641839b7396ccd0c6b8a2d55d12744) -- Bjoern A. Zeeb r15:7home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7rsqr33-s25s-64q4-o8nn-81sn61p9s77r>