ostfix) with ESMTPSA id 4g4vyV0206zp2p; Tue, 28 Apr 2026 22:20:33 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id 59542A64805; Tue, 28 Apr 2026 22:20:09 +0000 (UTC) Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 246A92D029E9; Tue, 28 Apr 2026 22:20:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id j-Zluc0cUXJU; Tue, 28 Apr 2026 22:20:31 +0000 (UTC) Received: from nv.t4-02.sbone.de (nv.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 07AB32D029D8; Tue, 28 Apr 2026 22:20:31 +0000 (UTC) Date: Tue, 28 Apr 2026 22:20:30 +0000 (UTC) From: "Bjoern A. Zeeb" To: Kristof Provost cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: Re: git: 47c12f20bf58 - stable/15 - pf: only allow a subset of netlink calls when securelevel is set In-Reply-To: <69f0dab6.44d59.7949e6e5@gitrepo.freebsd.org> Message-ID: <7rsqr33-s25s-64q4-o8nn-81sn61p9s77r@mnoonqbm.arg> References: <69f0dab6.44d59.7949e6e5@gitrepo.freebsd.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed On Tue, 28 Apr 2026, Kristof Provost wrote: > The branch stable/15 has been updated by kp: > > URL: https://cgit.FreeBSD.org/src/commit/?id=47c12f20bf58b69e7ab1707e6e705907ad0d277e > > commit 47c12f20bf58b69e7ab1707e6e705907ad0d277e > Author: Kristof Provost > AuthorDate: 2026-04-20 06:36:17 +0000 > Commit: Kristof Provost > CommitDate: 2026-04-28 15:33:57 +0000 > > pf: only allow a subset of netlink calls when securelevel is set This seems to have broken LINT-NOVIMAGE on stable/15. sys/netlink/netlink_generic.c:154:6: error: call to undeclared function 'securelevel_ge'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration] > Extend the genl_cmd struct to allow calls to also carry a securelevel. > If that's set compare the current securelevel to only allow the call if > the level is lower than that. > > If no value is specified continue to allow calls in any securelevel, > as before. > > This allows us to easily implement the same securelevel restrictions for > pf as we have for the corresponding ioctls. > > Reviewed by: glebius > MFC after: 1 week > Sponsored by: Rubicon Communications, LLC ("Netgate") > Differential Revision: https://reviews.freebsd.org/D56390 > > (cherry picked from commit 9933bdcb12641839b7396ccd0c6b8a2d55d12744) -- Bjoern A. Zeeb r15:7