Error out early on bad anchor usage

`pfctl -a foo' would do nothing with the non-existent anchor and exit 0.
This implements behaviour as documented in pfctl(8):

	-a anchor
	    Apply flags -f, -F, and -s only to the rules in the specified
	    anchor.

While here, hoist a duplicate "_" check by using the more mnemonic `mode'.

OK henning sashan

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 90d01fb..f65ebb7 100644 (file)
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl.c,v 1.357 2018/09/07 19:56:07 kn Exp $ */
+/*     $OpenBSD: pfctl.c,v 1.358 2018/09/08 14:12:57 kn Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -2500,6 +2500,14 @@ main(int argc, char *argv[])
                errx(1, "pfctl: calloc");
        memset(anchorname, 0, sizeof(anchorname));
        if (anchoropt != NULL) {
+               if (mode == O_RDONLY && showopt == NULL) {
+                       warnx("anchors apply to -f, -F and -s only");
+                       usage();
+               }
+               if (mode == O_RDWR &&
+                   (anchoropt[0] == '_' || strstr(anchoropt, "/_") != NULL))
+                       errx(1, "anchor names beginning with '_' cannot "
+                           "be modified from the command line");
                int len = strlen(anchoropt);
 
                if (anchoropt[len - 1] == '*') {
@@ -2603,10 +2611,6 @@ main(int argc, char *argv[])
                    anchorname, 0, 0, -1);
 
        if (clearopt != NULL) {
-               if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
-                       errx(1, "anchor names beginning with '_' cannot "
-                           "be modified from the command line");
-
                switch (*clearopt) {
                case 'r':
                        pfctl_clear_rules(dev, opts, anchorname);
@@ -2685,9 +2689,6 @@ main(int argc, char *argv[])
        }
 
        if (rulesopt != NULL) {
-               if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
-                       errx(1, "anchor names beginning with '_' cannot "
-                           "be modified from the command line");
                if (pfctl_rules(dev, rulesopt, opts, optimize,
                    anchorname, NULL))
                        error = 1;