git: 230ae7a67665 - main - pfctl: fails to handle nested 'load anchor' properly
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 26 Jun 2025 13:11:41 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=230ae7a67665522bada6608dc495e5ce68546b4f
commit 230ae7a67665522bada6608dc495e5ce68546b4f
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-06-18 13:24:28 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-06-26 13:11:00 +0000
pfctl: fails to handle nested 'load anchor' properly
[ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ]
OK bluhm@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, ab40201610
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/parse.y | 4 ++--
sbin/pfctl/pfctl.c | 14 +++++++-------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0af53e2692d7..1bd8e2bb55ad 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1205,7 +1205,7 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto
loadrule : LOAD ANCHOR string FROM string {
struct loadanchors *loadanchor;
- if (strlen(pf->anchor->name) + 1 +
+ if (strlen(pf->anchor->path) + 1 +
strlen($3) >= MAXPATHLEN) {
yyerror("anchorname %s too long, max %u\n",
$3, MAXPATHLEN - 1);
@@ -1220,7 +1220,7 @@ loadrule : LOAD ANCHOR string FROM string {
err(1, "loadrule: malloc");
if (pf->anchor->name[0])
snprintf(loadanchor->anchorname, MAXPATHLEN,
- "%s/%s", pf->anchor->name, $3);
+ "%s/%s", pf->anchor->path, $3);
else
strlcpy(loadanchor->anchorname, $3, MAXPATHLEN);
if ((loadanchor->filename = strdup($5)) == NULL)
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index cd4e2ae82aae..15766eb9b704 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2384,17 +2384,17 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
if (check_commit_altq(dev, opts) != 0)
ERRX("errors in altq config");
- /* process "load anchor" directives */
- if (!anchorname[0])
+ if (trans == NULL) {
+ /* process "load anchor" directives */
if (pfctl_load_anchors(dev, &pf, t) == -1)
ERRX("load anchors");
- if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) {
- if (!anchorname[0])
- if (pfctl_load_options(&pf))
+ if ((opts & PF_OPT_NOACTION) == 0) {
+ if (!anchorname[0] && pfctl_load_options(&pf))
goto _error;
- if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
- ERR("DIOCXCOMMIT");
+ if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
+ ERR("DIOCXCOMMIT");
+ }
}
free(path);
return (0);