git: ea0ca279edc2 - main - pfctl: Fix table definition parsing as unprivileged user

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 07 Jul 2025 15:08:03 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=ea0ca279edc2683e79a203df22b7ac02cfd48e39

commit ea0ca279edc2683e79a203df22b7ac02cfd48e39
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-02 15:07:23 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-07 15:06:51 +0000

    pfctl: Fix table definition parsing as unprivileged user
    
    revision 1.689 introduced warn_duplicate_tables() unconditionally, breaking
    the parser on tables withs insufficient permissions to open pf(4):
    
            $ echo 'table <t>' | pfctl -nf-
            pfctl: pfr_get_tables: Bad file descriptor
    
    So simply check whether pfctl is able to get the table list first.  If not,
    instead of silently avoiding namespace collision checks, print a brief
    notice iff `-v' is given to help finding duplicate definitions by hand:
    
            $ echo 'table <t>' | ./obj/pfctl -vnf-
            table <t>
            stdin:1: skipping duplicate table checks for <t>
    
    Reported by Rivo Nurges, thanks!
    OK benno sashan
    
    Obtained from:  OpenBSD, kn <kn@openbsd.org>, 4650ad2af4
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index ca3ca28475d7..d465599e1738 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -5434,7 +5434,12 @@ process_tabledef(char *name, struct table_opts *opts, int popts)
 	if (pf->opts & PF_OPT_VERBOSE)
 		print_tabledef(name, opts->flags, opts->init_addr,
 		    &opts->init_nodes);
-	warn_duplicate_tables(name, pf->anchor->path);
+	if (!(pf->opts & PF_OPT_NOACTION) ||
+	    (pf->opts & PF_OPT_DUMMYACTION))
+		warn_duplicate_tables(name, pf->anchor->path);
+	else if (pf->opts & PF_OPT_VERBOSE)
+		fprintf(stderr, "%s:%d: skipping duplicate table checks"
+		    " for <%s>\n", file->name, yylval.lineno, name);
 	if (!(pf->opts & PF_OPT_NOACTION) &&
 	    pfctl_define_table(name, opts->flags, opts->init_addr,
 	    pf->anchor->path, &ab, pf->anchor->ruleset.tticket)) {