From 574cdb686a80e59844f35e425e2b86ac3fb5dea0 Mon Sep 17 00:00:00 2001 From: kn Date: Sat, 8 Sep 2018 14:12:57 +0000 Subject: [PATCH] Error out early on bad anchor usage `pfctl -a foo' would do nothing with the non-existent anchor and exit 0. This implements behaviour as documented in pfctl(8): -a anchor Apply flags -f, -F, and -s only to the rules in the specified anchor. While here, hoist a duplicate "_" check by using the more mnemonic `mode'. OK henning sashan --- sbin/pfctl/pfctl.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 90d01fb598b..f65ebb77254 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.357 2018/09/07 19:56:07 kn Exp $ */ +/* $OpenBSD: pfctl.c,v 1.358 2018/09/08 14:12:57 kn Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2500,6 +2500,14 @@ main(int argc, char *argv[]) errx(1, "pfctl: calloc"); memset(anchorname, 0, sizeof(anchorname)); if (anchoropt != NULL) { + if (mode == O_RDONLY && showopt == NULL) { + warnx("anchors apply to -f, -F and -s only"); + usage(); + } + if (mode == O_RDWR && + (anchoropt[0] == '_' || strstr(anchoropt, "/_") != NULL)) + errx(1, "anchor names beginning with '_' cannot " + "be modified from the command line"); int len = strlen(anchoropt); if (anchoropt[len - 1] == '*') { @@ -2603,10 +2611,6 @@ main(int argc, char *argv[]) anchorname, 0, 0, -1); if (clearopt != NULL) { - if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL) - errx(1, "anchor names beginning with '_' cannot " - "be modified from the command line"); - switch (*clearopt) { case 'r': pfctl_clear_rules(dev, opts, anchorname); @@ -2685,9 +2689,6 @@ main(int argc, char *argv[]) } if (rulesopt != NULL) { - if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL) - errx(1, "anchor names beginning with '_' cannot " - "be modified from the command line"); if (pfctl_rules(dev, rulesopt, opts, optimize, anchorname, NULL)) error = 1; -- 2.20.1