aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2026-04-13 13:48:39 +0000
committerKristof Provost <kp@FreeBSD.org>2026-04-21 09:51:28 +0000
commitd5ca00f2d8743f0885c17f50c8c011cae285fbdb (patch)
treea521f80b7cf2b5b678c3bf41b9d0b281a861b94d
parentadb16cd389c3456cbd538b658c3c0af5145dde91 (diff)
pf: do not allow flags to be changed with securelevel set
With securelevel set (for pf that means >= 3) we're expected to reject rule changes. However, we allowed interface flags to be changed, which would allow 'set skip on X' to be changed. Remove DIOCSETIFFLAG and DIOCCLRIFFLAG from the securelevel whitelist. MFC after: 1 week Reported by: cyberkittens Sponsored by: Rubicon Communications, LLC ("Netgate")
Diffstat
-rw-r--r--sys/netpfil/pf/pf_ioctl.c2
1 files changed, 0 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 8b2ff108d9cb..586d896d0e2d 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -3899,8 +3899,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
case DIOCIGETIFACES:
case DIOCGIFSPEEDV0:
case DIOCGIFSPEEDV1:
- case DIOCSETIFFLAG:
- case DIOCCLRIFFLAG:
case DIOCGETETHRULES:
case DIOCGETETHRULE:
case DIOCGETETHRULESETS:
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-11 08:42:06 +0000