Re: git: 47c12f20bf58 - stable/15 - pf: only allow a subset of netlink calls when securelevel is set
- Reply: Kristof Provost : "Re: git: 47c12f20bf58 - stable/15 - pf: only allow a subset of netlink calls when securelevel is set"
- In reply to: Kristof Provost : "git: 47c12f20bf58 - stable/15 - pf: only allow a subset of netlink calls when securelevel is set"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Apr 2026 22:20:30 UTC
On Tue, 28 Apr 2026, Kristof Provost wrote:
> The branch stable/15 has been updated by kp:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=47c12f20bf58b69e7ab1707e6e705907ad0d277e
>
> commit 47c12f20bf58b69e7ab1707e6e705907ad0d277e
> Author: Kristof Provost <kp@FreeBSD.org>
> AuthorDate: 2026-04-20 06:36:17 +0000
> Commit: Kristof Provost <kp@FreeBSD.org>
> CommitDate: 2026-04-28 15:33:57 +0000
>
> pf: only allow a subset of netlink calls when securelevel is set
This seems to have broken LINT-NOVIMAGE on stable/15.
sys/netlink/netlink_generic.c:154:6: error: call to undeclared function 'securelevel_ge'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]
> Extend the genl_cmd struct to allow calls to also carry a securelevel.
> If that's set compare the current securelevel to only allow the call if
> the level is lower than that.
>
> If no value is specified continue to allow calls in any securelevel,
> as before.
>
> This allows us to easily implement the same securelevel restrictions for
> pf as we have for the corresponding ioctls.
>
> Reviewed by: glebius
> MFC after: 1 week
> Sponsored by: Rubicon Communications, LLC ("Netgate")
> Differential Revision: https://reviews.freebsd.org/D56390
>
> (cherry picked from commit 9933bdcb12641839b7396ccd0c6b8a2d55d12744)
--
Bjoern A. Zeeb r15:7