git: 8fecb09bc58e - main - pfctl: store correct ticket type

Sat, 18 Oct 2025 07:52:48 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=8fecb09bc58ea39833b57c88637036124d71e0ce

commit 8fecb09bc58ea39833b57c88637036124d71e0ce
Author:     Kristof Provost <[email protected]>
AuthorDate: 2025-10-06 09:45:59 +0000
Commit:     Kristof Provost <[email protected]>
CommitDate: 2025-10-06 21:35:29 +0000

    pfctl: store correct ticket type
    
    When loading a new rule only persist the ticket if we're actually looking 
at a
    filter rule. We need that ticket type later if we have to create tables, 
but we
    need the ticket for the correct ruleset.
    
    Fixes:  9dfc5e03da50 ("pfctl: allow tables to be defined inside anchors")
    Reported by:    Florian Smeets <[email protected]>
    MFC after:      3 days
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 21562fa03e0d..998148f5e75f 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2183,6 +2183,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct 
pfctl_rule *r, int depth)
 {
        u_int8_t                rs_num = pf_get_ruleset_number(r->action);
        char                    *name;
+       uint32_t                ticket;
        char                    anchor[PF_ANCHOR_NAME_SIZE];
        int                     len = strlen(path);
        int                     error;
@@ -2192,7 +2193,9 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct 
pfctl_rule *r, int depth)
        if ((pf->opts & PF_OPT_NOACTION) == 0) {
                if (pf->trans == NULL)
                        errx(1, "pfctl_load_rule: no transaction");
-               pf->anchor->ruleset.tticket = pfctl_get_ticket(pf->trans, 
rs_num, path);
+               ticket = pfctl_get_ticket(pf->trans, rs_num, path);
+               if (rs_num == PF_RULESET_FILTER)
+                        pf->anchor->ruleset.tticket = ticket;
        }
        if (strlcpy(anchor, path, sizeof(anchor)) >= sizeof(anchor))
                errx(1, "pfctl_load_rule: strlcpy");
@@ -2225,7 +2228,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct 
pfctl_rule *r, int depth)
                        return (1);
                if (pfctl_add_pool(pf, &r->route, PF_RT))
                        return (1);
-               error = pfctl_add_rule_h(pf->h, r, anchor, name, 
pf->anchor->ruleset.tticket,
+               error = pfctl_add_rule_h(pf->h, r, anchor, name, ticket,
                    pf->paddr.ticket);
                switch (error) {
                case 0:

Reply via email to