git: f7289cce493d - main - pf: Check for main ruleset explicitly

Kristof Provost Fri, 04 Jul 2025 02:24:12 -0700

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=f7289cce493d8db579e3e10bec2c95887c4ba52e


commit f7289cce493d8db579e3e10bec2c95887c4ba52e
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-06-30 17:12:12 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-04 08:31:12 +0000

    pf: Check for main ruleset explicitly
    
    All rulesets reference their parent anchor, except for the special cased
    main anchor containing the main ruleset, which's reference is always NULL
    since initialization and never changes.
    
    Replacing nullity tests with clearer equality checks makes the code less
    ambigious and easier to understand.
    
    OK sashan
    
    Obtained from:  OpenBSD, kn <k...@openbsd.org>, 55038654e1
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_ioctl.c   | 4 ++--
 sys/netpfil/pf/pf_ruleset.c | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 45201f2eaec9..357b2be194a5 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2740,7 +2740,7 @@ pf_ioctl_get_rulesets(struct pfioc_ruleset *pr)
                return (ENOENT);
        }
        pr->nr = 0;
-       if (ruleset->anchor == NULL) {
+       if (ruleset == &pf_main_ruleset) {
                /* XXX kludge for pf_main_ruleset */
                RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
                        if (anchor->parent == NULL)
@@ -2772,7 +2772,7 @@ pf_ioctl_get_ruleset(struct pfioc_ruleset *pr)
        }
 
        pr->name[0] = 0;
-       if (ruleset->anchor == NULL) {
+       if (ruleset == &pf_main_ruleset) {
                /* XXX kludge for pf_main_ruleset */
                RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors)
                        if (anchor->parent == NULL && nr++ == pr->nr) {
diff --git a/sys/netpfil/pf/pf_ruleset.c b/sys/netpfil/pf/pf_ruleset.c
index 94e8527f6555..2e5165a9900c 100644
--- a/sys/netpfil/pf/pf_ruleset.c
+++ b/sys/netpfil/pf/pf_ruleset.c
@@ -339,7 +339,7 @@ pf_remove_if_empty_kruleset(struct pf_kruleset *ruleset)
        int                      i;
 
        while (ruleset != NULL) {
-               if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL ||
+               if (ruleset == &pf_main_ruleset ||
                    !RB_EMPTY(&ruleset->anchor->children) ||
                    ruleset->anchor->refcnt > 0 || ruleset->tables > 0 ||
                    ruleset->topen)
@@ -407,7 +407,7 @@ pf_kanchor_setup(struct pf_krule *r, const struct 
pf_kruleset *s,
        }
        ruleset = pf_find_or_create_kruleset(path);
        rs_free(path);
-       if (ruleset == NULL || ruleset->anchor == NULL) {
+       if (ruleset == NULL || ruleset == &pf_main_ruleset) {
                DPFPRINTF("%s: ruleset\n", __func__);
                return (1);
        }
@@ -432,7 +432,7 @@ pf_kanchor_copyout(const struct pf_kruleset *rs, const 
struct pf_krule *r,
                char     a[MAXPATHLEN];
                char    *p;
                int      i;
-               if (rs->anchor == NULL)
+               if (rs == &pf_main_ruleset)
                        a[0] = 0;
                else
                        strlcpy(a, rs->anchor->path, MAXPATHLEN);

git: f7289cce493d - main - pf: Check for main ruleset explicitly

Reply via email to