git: 725e65580a0e - main - pfctl: Error out early on bad anchor usage

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 02 Jul 2025 08:27:16 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=725e65580a0ec14992f41c93dba78c181de179d3

commit 725e65580a0ec14992f41c93dba78c181de179d3
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-06-27 14:21:09 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-02 07:40:53 +0000

    pfctl: Error out early on bad anchor usage
    
    `pfctl -a foo' would do nothing with the non-existent anchor and exit 0.
    This implements behaviour as documented in pfctl(8):
    
            -a anchor
                Apply flags -f, -F, and -s only to the rules in the specified
                anchor.
    
    While here, hoist a duplicate "_" check by using the more mnemonic `mode'.
    
    OK henning sashan
    
    Obtained from:  OpenBSD, kn <kn@openbsd.org>, 574cdb686a
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 926c18ee5dbc..79076fc69776 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -3198,6 +3198,15 @@ main(int argc, char *argv[])
 	if (anchoropt != NULL) {
 		int len = strlen(anchoropt);
 
+		if (mode == O_RDONLY && showopt == NULL) {
+			warnx("anchors apply to -f, -F and -s only");
+			usage();
+		}
+		if (mode == O_RDWR &&
+		    (anchoropt[0] == '_' || strstr(anchoropt, "/_") != NULL))
+			errx(1, "anchor names beginning with '_' cannot "
+			    "be modified from the command line");
+
 		if (len >= 1 && anchoropt[len - 1] == '*') {
 			if (len >= 2 && anchoropt[len - 2] == '/')
 				anchoropt[len - 2] = '\0';
@@ -3329,10 +3338,6 @@ main(int argc, char *argv[])
 	}
 
 	if (clearopt != NULL) {
-		if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
-			errx(1, "anchor names beginning with '_' cannot "
-			    "be modified from the command line");
-
 		switch (*clearopt) {
 		case 'e':
 			pfctl_flush_eth_rules(dev, opts, anchorname);
@@ -3423,9 +3428,6 @@ main(int argc, char *argv[])
 			error = 1;
 
 	if (rulesopt != NULL) {
-		if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
-			errx(1, "anchor names beginning with '_' cannot "
-			    "be modified from the command line");
 		if (pfctl_rules(dev, rulesopt, opts, optimize,
 		    anchorname, NULL))
 			error = 1;