git: 0ccf78da3bd4 - main - pfctl: Always check for namespace collisions on table commands
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 07 Jul 2025 15:08:04 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=0ccf78da3bd4f273f203deb4c237d1a3c046fac0
commit 0ccf78da3bd4f273f203deb4c237d1a3c046fac0
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-02 15:08:33 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-07 15:06:51 +0000
pfctl: Always check for namespace collisions on table commands
`-t table -T add|replace ...' would only check for duplicate tables in case
addresses where actually to the table.
Instead of using a positive number of added addresses as prove for
successful table operations, rely on the fact that CREATE_TABLE() is
guaranteed to be called only if pf(4) can be accessed, that is
warn_duplicate_tables() will return.
This improves duplicate detection rate as warnings are now also emitted
even when table commands eventually leave tables unchanged.
OK benno sashan
Obtained from: OpenBSD, kn <kn@openbsd.org>, 898866c293
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/pfctl_table.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index d1f20761a4f4..0842b042df41 100644
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c
@@ -85,6 +85,8 @@ static const char *istats_text[2][2][2] = {
} while (0)
#define CREATE_TABLE do { \
+ warn_duplicate_tables(table.pfrt_name, \
+ table.pfrt_anchor); \
table.pfrt_flags |= PFR_TFLAG_PERSIST; \
if ((!(opts & PF_OPT_NOACTION) || \
(opts & PF_OPT_DUMMYACTION)) && \
@@ -94,8 +96,6 @@ static const char *istats_text[2][2][2] = {
goto _error; \
} \
if (nadd) { \
- warn_duplicate_tables(table.pfrt_name, \
- table.pfrt_anchor); \
xprintf(opts, "%d table created", nadd); \
if (opts & PF_OPT_NOACTION) \
return (0); \