git: 714be446a925 - main - pfctl: Defuse `-F all -i interface'
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 07 Jul 2025 15:07:50 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=714be446a92555911b8cbd0f0f480f0dea617fa6
commit 714be446a92555911b8cbd0f0f480f0dea617fa6
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-01 10:10:00 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-07 15:06:48 +0000
pfctl: Defuse `-F all -i interface'
Flushing all filter parameters does not make sense on one specific
interface only as already noted. However, the main ruleset as well as
all tables were still cleared on such invalid usage.
Furthermore, an empty interface name was treated like no interface at
all, hence source tracking entries, statistics and interface flags were
cleared also.
Immediately error out if `-i' is given regardless of its argument before
flushing anything.
OK sashan
Obtained from: OpenBSD, kn <kn@openbsd.org>, 7863d3574f
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/pfctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index b4732d178cbb..169b75f202d1 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -3365,6 +3365,11 @@ main(int argc, char *argv[])
pfctl_clear_stats(pfh, opts);
break;
case 'a':
+ if (ifaceopt) {
+ warnx("don't specify an interface with -Fall");
+ usage();
+ /* NOTREACHED */
+ }
pfctl_flush_eth_rules(dev, opts, anchorname);
pfctl_flush_rules(dev, opts, anchorname);
pfctl_flush_nat(dev, opts, anchorname);