git: 725e65580a0e - main - pfctl: Error out early on bad anchor usage

Wed, 02 Jul 2025 01:28:08 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=725e65580a0ec14992f41c93dba78c181de179d3

commit 725e65580a0ec14992f41c93dba78c181de179d3
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-06-27 14:21:09 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-02 07:40:53 +0000

    pfctl: Error out early on bad anchor usage
    
    `pfctl -a foo' would do nothing with the non-existent anchor and exit 0.
    This implements behaviour as documented in pfctl(8):
    
            -a anchor
                Apply flags -f, -F, and -s only to the rules in the specified
                anchor.
    
    While here, hoist a duplicate "_" check by using the more mnemonic `mode'.
    
    OK henning sashan
    
    Obtained from:  OpenBSD, kn <k...@openbsd.org>, 574cdb686a
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 926c18ee5dbc..79076fc69776 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -3198,6 +3198,15 @@ main(int argc, char *argv[])
        if (anchoropt != NULL) {
                int len = strlen(anchoropt);
 
+               if (mode == O_RDONLY && showopt == NULL) {
+                       warnx("anchors apply to -f, -F and -s only");
+                       usage();
+               }
+               if (mode == O_RDWR &&
+                   (anchoropt[0] == '_' || strstr(anchoropt, "/_") != NULL))
+                       errx(1, "anchor names beginning with '_' cannot "
+                           "be modified from the command line");
+
                if (len >= 1 && anchoropt[len - 1] == '*') {
                        if (len >= 2 && anchoropt[len - 2] == '/')
                                anchoropt[len - 2] = '\0';
@@ -3329,10 +3338,6 @@ main(int argc, char *argv[])
        }
 
        if (clearopt != NULL) {
-               if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
-                       errx(1, "anchor names beginning with '_' cannot "
-                           "be modified from the command line");
-
                switch (*clearopt) {
                case 'e':
                        pfctl_flush_eth_rules(dev, opts, anchorname);
@@ -3423,9 +3428,6 @@ main(int argc, char *argv[])
                        error = 1;
 
        if (rulesopt != NULL) {
-               if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
-                       errx(1, "anchor names beginning with '_' cannot "
-                           "be modified from the command line");
                if (pfctl_rules(dev, rulesopt, opts, optimize,
                    anchorname, NULL))
                        error = 1;

Reply via email to