On Fri, Oct 24, 2025 at 11:44:40AM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> I'm sorry about it. The message is bogus and can be ignored. This is caused
> because pfctl(9) arms atexit(3) handler to restore limits when it opens
> /dev/pf
> for writing. Diff below makes pfctl(8) to arm atexit handler to restore limits
> if and only if those limits get changed.
>
> let me know if diff below works for you.
>
> thanks and
> regards
> sashan
OK bluhm@
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
> index 96f7b9dac06..517bc4b861c 100644
> --- a/sbin/pfctl/pfctl.c
> +++ b/sbin/pfctl/pfctl.c
> @@ -1935,6 +1935,7 @@ int
> pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
> {
> struct pfioc_limit pl;
> + static int restore_limit_handler_armed = 0;
>
> memset(&pl, 0, sizeof(pl));
> pl.index = index;
> @@ -1947,6 +1948,9 @@ pfctl_load_limit(struct pfctl *pf, unsigned int index,
> unsigned int limit)
> warnx("Cannot set %s limit to %u",
> pf_limits[index].name, limit);
> return (1);
> + } else if (restore_limit_handler_armed == 0) {
> + atexit(pfctl_restore_limits);
> + restore_limit_handler_armed = 1;
> }
> return (0);
> }
> @@ -2781,7 +2785,6 @@ main(int argc, char *argv[])
> if (dev == -1)
> err(1, "%s", pf_device);
> pfctl_read_limits(dev);
> - atexit(pfctl_restore_limits);
> } else {
> dev = open(pf_device, O_RDONLY);
> if (dev >= 0) {
