Date: Tue, 28 Apr 2026 16:05:07 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: afbda5806304 - stable/14 - pf: do not allow flags to be changed with securelevel set Message-ID: <69f0dab3.44d55.676cc1b2@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=afbda58063048e2ddc47f7fc6fcc34718ccd7dbf commit afbda58063048e2ddc47f7fc6fcc34718ccd7dbf Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-04-13 13:48:39 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-04-28 16:04:49 +0000 pf: do not allow flags to be changed with securelevel set With securelevel set (for pf that means >= 3) we're expected to reject rule changes. However, we allowed interface flags to be changed, which would allow 'set skip on X' to be changed. Remove DIOCSETIFFLAG and DIOCCLRIFFLAG from the securelevel whitelist. MFC after: 1 week Reported by: cyberkittens Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit d5ca00f2d8743f0885c17f50c8c011cae285fbdb) --- sys/netpfil/pf/pf_ioctl.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 5617207d28f9..e824dfcff453 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2598,8 +2598,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td case DIOCIGETIFACES: case DIOCGIFSPEEDV0: case DIOCGIFSPEEDV1: - case DIOCSETIFFLAG: - case DIOCCLRIFFLAG: case DIOCGETETHRULES: case DIOCGETETHRULE: case DIOCGETETHRULESETS:home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f0dab3.44d55.676cc1b2>