Use pfctl_fopen (which checks to ensure the given file isn't a directory)

for pfctl -f /path/to/pf.conf. Otherwise, if you accidentally use a dir
instead of a file (e.g. if you have an /etc/pf directory and don't notice
the name when tab-completing), you successfully install an empty ruleset.
ok sashan@

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index adc7134..ee5c00f 100644 (file)
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.714 2023/10/26 16:26:01 deraadt Exp $     */
+/*     $OpenBSD: parse.y,v 1.715 2023/11/02 20:47:31 sthen Exp $       */
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -5391,7 +5391,7 @@ pushfile(const char *name, int secret)
                        free(nfile);
                        return (NULL);
                }
-       } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) {
+       } else if ((nfile->stream = pfctl_fopen(nfile->name, "r")) == NULL) {
                warn("%s: %s", __func__, nfile->name);
                free(nfile->name);
                free(nfile);