git: ff141ea17cb7 - stable/15 - pf: do not allow flags to be changed with securelevel set
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Apr 2026 16:05:09 UTC
The branch stable/15 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=ff141ea17cb7d60806625423ddc855d40f7e1d06
commit ff141ea17cb7d60806625423ddc855d40f7e1d06
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-04-13 13:48:39 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-04-28 15:33:57 +0000
pf: do not allow flags to be changed with securelevel set
With securelevel set (for pf that means >= 3) we're expected to reject
rule changes. However, we allowed interface flags to be changed, which
would allow 'set skip on X' to be changed.
Remove DIOCSETIFFLAG and DIOCCLRIFFLAG from the securelevel whitelist.
MFC after: 1 week
Reported by: cyberkittens
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit d5ca00f2d8743f0885c17f50c8c011cae285fbdb)
---
sys/netpfil/pf/pf_ioctl.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 46197a97dae4..0825a69b8f63 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -3113,8 +3113,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCIGETIFACES:
case DIOCGIFSPEEDV0:
case DIOCGIFSPEEDV1:
- case DIOCSETIFFLAG:
- case DIOCCLRIFFLAG:
case DIOCGETETHRULES:
case DIOCGETETHRULE:
case DIOCGETETHRULESETS: