Date: Mon, 7 Jul 2025 15:07:50 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 714be446a925 - main - pfctl: Defuse `-F all -i interface' Message-ID: <202507071507.567F7oWq016438@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=714be446a92555911b8cbd0f0f480f0dea617fa6 commit 714be446a92555911b8cbd0f0f480f0dea617fa6 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-07-01 10:10:00 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-07-07 15:06:48 +0000 pfctl: Defuse `-F all -i interface' Flushing all filter parameters does not make sense on one specific interface only as already noted. However, the main ruleset as well as all tables were still cleared on such invalid usage. Furthermore, an empty interface name was treated like no interface at all, hence source tracking entries, statistics and interface flags were cleared also. Immediately error out if `-i' is given regardless of its argument before flushing anything. OK sashan Obtained from: OpenBSD, kn <kn@openbsd.org>, 7863d3574f Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index b4732d178cbb..169b75f202d1 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -3365,6 +3365,11 @@ main(int argc, char *argv[]) pfctl_clear_stats(pfh, opts); break; case 'a': + if (ifaceopt) { + warnx("don't specify an interface with -Fall"); + usage(); + /* NOTREACHED */ + } pfctl_flush_eth_rules(dev, opts, anchorname); pfctl_flush_rules(dev, opts, anchorname); pfctl_flush_nat(dev, opts, anchorname);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507071507.567F7oWq016438>