diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2026-03-22 02:50:47 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2026-03-22 03:47:37 +0000 |
| commit | 343ace42f82a629374af4dc3a72da5f46f2c3feb (patch) | |
| tree | 6c4a8acba279b8d26fdeb2b107ef89d2cb2e3040 | |
| parent | 0b0d34fd2f40e06e4600441b15b26b1cc1941c9f (diff) | |
pfctl: parser must not ignore error from pfctl_optimize_ruleset()
Ignoring the error may cause pfctl(8) to load inconsistent ruleset
preventing pf(4) to enforce desired policy.
Issue reported and fix suggested by berts _from_ fastmail _dot_ com
'Looks good.' @deraadt
MFC after: 1 week
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 9fd28a8cca
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sbin/pfctl/pfctl.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 87343f762842..5a4668416b5b 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -2513,8 +2513,9 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs, printf("\n"); } - if (pf->optimize && rs_num == PF_RULESET_FILTER) - pfctl_optimize_ruleset(pf, rs); + if (pf->optimize && rs_num == PF_RULESET_FILTER && + (error = pfctl_optimize_ruleset(pf, rs)) != 0) + goto error; while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) { TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries); |