From nobody Tue Apr 28 16:05:07 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g4ldP2hGbz6bhT7 for ; Tue, 28 Apr 2026 16:05:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g4ldN6qC4z3QSc for ; Tue, 28 Apr 2026 16:05:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777392313; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XIkwIM2MdMPsuCf/hfaFJTnhhdd1rUTzOoJIc0lOR8s=; b=pn8KErAYf4euUBthQ3Mfpej4Mbf6sG1XFDKuSdrEONmUGT0d8Cj/mJFEGYjOrLcKM2tz62 fMSNEND5+tc+mte6lTByph/i/RdzqHU6n5SSjo7hAB96FnALEnX5y8iMHWiyaaQdu0G8fd jfoh5disa1Ry7cby5Hjee5HfW1GQA8ojYNHY+V+UTX9tZOHrqOh7RhUF56YwJMG5cn0TkB JQ3owpD4LJPvpZfsKqU7RJexGiUBqbq6X08cbfVSQRbMkAnEcW+hTlhxtCMY8bfGUm5pTG C2YAfpSAHKfZDDngQRwQOn1GwzFbY8tunPJrxA0DmYGyOHs8M71KJCM+I00jFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777392313; a=rsa-sha256; cv=none; b=IAfJu7fFReU4NxF9BadSMTAPgc4t3INKupYUECYC+pBIkhk2Z9aF+knhzxr32jEWmI/fL2 dQJAACz/f6oz6p9tpABzBj/T3Z2lGsbYBAVr1rTaqZAXeca7Rz7pvluinTrPWUl2s+NgoF b3W6t1scbck7JCkDxGX6Jb4WgmacN+9SqXo3UEIDN/MiiAITWvgjirOTIKmSj8Iu5DmyHw P87VmUBz3AjWrZO23I3d1ygBy+c1BhgrOy64wA5gcgQdpAYyaVDtt9cOn+pot6jhpKrJiL uyQWPNs0I5SqWm8aOyNkRjwU+suD0fk/n0LmkcnZik4wDIdmsX9lYMdJ09U+wA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777392313; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XIkwIM2MdMPsuCf/hfaFJTnhhdd1rUTzOoJIc0lOR8s=; b=rLGvOsuf1hN+YAdjCWXeCS63J/nhCryxW9oBhcFMMNQn9TPgeQMwjoidwzktMk1sGib2pD Dmb1JKJ09Ci3AApsoJMF+IDA3ShpVRTC7CiL0A8KfHHwgLk+PWdMdb39hcR30zWdgrsTkS dPpoQO1zFXJo6TgbofVw48Eo6ZPl/+YxAGXRnRCbD/d+sIlo537CX0eXy739oQtTanNpgA wCTZz9xQszs0Dx7CYKL8IGOf+YbDABXZX+THzjgHFw5S7iFYdYf11Q/zIoN40kwT97hV+P DHAwdaiDz/xnCeatTDo7Pk0NpPr3QSxa30Ai4tMGqI2eoBOlvgvTg2QoM2IsyQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g4ldN5xRPz10sf for ; Tue, 28 Apr 2026 16:05:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 44d55 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 28 Apr 2026 16:05:07 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: afbda5806304 - stable/14 - pf: do not allow flags to be changed with securelevel set List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: afbda58063048e2ddc47f7fc6fcc34718ccd7dbf Auto-Submitted: auto-generated Date: Tue, 28 Apr 2026 16:05:07 +0000 Message-Id: <69f0dab3.44d55.676cc1b2@gitrepo.freebsd.org> The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=afbda58063048e2ddc47f7fc6fcc34718ccd7dbf commit afbda58063048e2ddc47f7fc6fcc34718ccd7dbf Author: Kristof Provost AuthorDate: 2026-04-13 13:48:39 +0000 Commit: Kristof Provost CommitDate: 2026-04-28 16:04:49 +0000 pf: do not allow flags to be changed with securelevel set With securelevel set (for pf that means >= 3) we're expected to reject rule changes. However, we allowed interface flags to be changed, which would allow 'set skip on X' to be changed. Remove DIOCSETIFFLAG and DIOCCLRIFFLAG from the securelevel whitelist. MFC after: 1 week Reported by: cyberkittens Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit d5ca00f2d8743f0885c17f50c8c011cae285fbdb) --- sys/netpfil/pf/pf_ioctl.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 5617207d28f9..e824dfcff453 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2598,8 +2598,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td case DIOCIGETIFACES: case DIOCGIFSPEEDV0: case DIOCGIFSPEEDV1: - case DIOCSETIFFLAG: - case DIOCCLRIFFLAG: case DIOCGETETHRULES: case DIOCGETETHRULE: case DIOCGETETHRULESETS: