git: 8fecb09bc58e - main - pfctl: store correct ticket type

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 06 Oct 2025 21:35:38 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=8fecb09bc58ea39833b57c88637036124d71e0ce

commit 8fecb09bc58ea39833b57c88637036124d71e0ce
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-10-06 09:45:59 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-10-06 21:35:29 +0000

    pfctl: store correct ticket type
    
    When loading a new rule only persist the ticket if we're actually looking at a
    filter rule. We need that ticket type later if we have to create tables, but we
    need the ticket for the correct ruleset.
    
    Fixes:  9dfc5e03da50 ("pfctl: allow tables to be defined inside anchors")
    Reported by:    Florian Smeets <flo@smeets.xyz>
    MFC after:      3 days
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 21562fa03e0d..998148f5e75f 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2183,6 +2183,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
 {
 	u_int8_t		rs_num = pf_get_ruleset_number(r->action);
 	char			*name;
+	uint32_t		ticket;
 	char			anchor[PF_ANCHOR_NAME_SIZE];
 	int			len = strlen(path);
 	int			error;
@@ -2192,7 +2193,9 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
 	if ((pf->opts & PF_OPT_NOACTION) == 0) {
 		if (pf->trans == NULL)
 			errx(1, "pfctl_load_rule: no transaction");
-		pf->anchor->ruleset.tticket = pfctl_get_ticket(pf->trans, rs_num, path);
+		ticket = pfctl_get_ticket(pf->trans, rs_num, path);
+		if (rs_num == PF_RULESET_FILTER)
+			 pf->anchor->ruleset.tticket = ticket;
 	}
 	if (strlcpy(anchor, path, sizeof(anchor)) >= sizeof(anchor))
 		errx(1, "pfctl_load_rule: strlcpy");
@@ -2225,7 +2228,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
 			return (1);
 		if (pfctl_add_pool(pf, &r->route, PF_RT))
 			return (1);
-		error = pfctl_add_rule_h(pf->h, r, anchor, name, pf->anchor->ruleset.tticket,
+		error = pfctl_add_rule_h(pf->h, r, anchor, name, ticket,
 		    pf->paddr.ticket);
 		switch (error) {
 		case 0: