git: 230ae7a67665 - main - pfctl: fails to handle nested 'load anchor' properly

Thu, 26 Jun 2025 06:11:51 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=230ae7a67665522bada6608dc495e5ce68546b4f

commit 230ae7a67665522bada6608dc495e5ce68546b4f
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-06-18 13:24:28 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-06-26 13:11:00 +0000

    pfctl: fails to handle nested 'load anchor' properly
    
    [ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ]
    
    OK bluhm@
    
    Obtained from:  OpenBSD, sashan <sas...@openbsd.org>, ab40201610
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y |  4 ++--
 sbin/pfctl/pfctl.c | 14 +++++++-------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0af53e2692d7..1bd8e2bb55ad 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1205,7 +1205,7 @@ anchorrule        : ANCHOR anchorname dir quick interface 
af proto fromto
 loadrule       : LOAD ANCHOR string FROM string        {
                        struct loadanchors      *loadanchor;
 
-                       if (strlen(pf->anchor->name) + 1 +
+                       if (strlen(pf->anchor->path) + 1 +
                            strlen($3) >= MAXPATHLEN) {
                                yyerror("anchorname %s too long, max %u\n",
                                    $3, MAXPATHLEN - 1);
@@ -1220,7 +1220,7 @@ loadrule  : LOAD ANCHOR string FROM string        {
                                err(1, "loadrule: malloc");
                        if (pf->anchor->name[0])
                                snprintf(loadanchor->anchorname, MAXPATHLEN,
-                                   "%s/%s", pf->anchor->name, $3);
+                                   "%s/%s", pf->anchor->path, $3);
                        else
                                strlcpy(loadanchor->anchorname, $3, MAXPATHLEN);
                        if ((loadanchor->filename = strdup($5)) == NULL)
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index cd4e2ae82aae..15766eb9b704 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2384,17 +2384,17 @@ pfctl_rules(int dev, char *filename, int opts, int 
optimize,
                if (check_commit_altq(dev, opts) != 0)
                        ERRX("errors in altq config");
 
-       /* process "load anchor" directives */
-       if (!anchorname[0])
+       if (trans == NULL) {
+               /* process "load anchor" directives */
                if (pfctl_load_anchors(dev, &pf, t) == -1)
                        ERRX("load anchors");
 
-       if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) {
-               if (!anchorname[0])
-                       if (pfctl_load_options(&pf))
+               if ((opts & PF_OPT_NOACTION) == 0) {
+                       if (!anchorname[0] && pfctl_load_options(&pf))
                                goto _error;
-               if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
-                       ERR("DIOCXCOMMIT");
+                       if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
+                               ERR("DIOCXCOMMIT");
+               }
        }
        free(path);
        return (0);

Reply via email to