aboutsummaryrefslogtreecommitdiff
path: root/sbin/pfctl/pfctl.c
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/pfctl/pfctl.c')
-rw-r--r--sbin/pfctl/pfctl.c24
1 files changed, 17 insertions, 7 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 21562fa03e0d..02d6c9c84a32 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2183,6 +2183,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
{
u_int8_t rs_num = pf_get_ruleset_number(r->action);
char *name;
+ uint32_t ticket;
char anchor[PF_ANCHOR_NAME_SIZE];
int len = strlen(path);
int error;
@@ -2192,7 +2193,9 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
if ((pf->opts & PF_OPT_NOACTION) == 0) {
if (pf->trans == NULL)
errx(1, "pfctl_load_rule: no transaction");
- pf->anchor->ruleset.tticket = pfctl_get_ticket(pf->trans, rs_num, path);
+ ticket = pfctl_get_ticket(pf->trans, rs_num, path);
+ if (rs_num == PF_RULESET_FILTER)
+ pf->anchor->ruleset.tticket = ticket;
}
if (strlcpy(anchor, path, sizeof(anchor)) >= sizeof(anchor))
errx(1, "pfctl_load_rule: strlcpy");
@@ -2225,7 +2228,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
return (1);
if (pfctl_add_pool(pf, &r->route, PF_RT))
return (1);
- error = pfctl_add_rule_h(pf->h, r, anchor, name, pf->anchor->ruleset.tticket,
+ error = pfctl_add_rule_h(pf->h, r, anchor, name, ticket,
pf->paddr.ticket);
switch (error) {
case 0:
@@ -2615,6 +2618,8 @@ pfctl_apply_limit(struct pfctl *pf, const char *opt, unsigned int limit)
int
pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
{
+ static int restore_limit_handler_armed = 0;
+
if (pfctl_set_limit(pf->h, index, limit)) {
if (errno == EBUSY)
warnx("Current pool size exceeds requested %s limit %u",
@@ -2623,6 +2628,9 @@ pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
warnx("Cannot set %s limit to %u",
pf_limits[index].name, limit);
return (1);
+ } else if (restore_limit_handler_armed == 0) {
+ atexit(pfctl_restore_limits);
+ restore_limit_handler_armed = 1;
}
return (0);
}
@@ -3164,10 +3172,7 @@ pfctl_show_eth_anchors(int dev, int opts, char *anchorname)
int ret;
if ((ret = pfctl_get_eth_rulesets_info(dev, &ri, anchorname)) != 0) {
- if (ret == ENOENT)
- fprintf(stderr, "Anchor '%s' not found.\n",
- anchorname);
- else
+ if (ret != ENOENT)
errc(1, ret, "DIOCGETETHRULESETS");
return (-1);
}
@@ -3474,7 +3479,6 @@ main(int argc, char *argv[])
if ((opts & PF_OPT_NOACTION) == 0) {
pfctl_read_limits(pfh);
- atexit(pfctl_restore_limits);
}
if (opts & PF_OPT_DISABLE)
@@ -3582,6 +3586,12 @@ main(int argc, char *argv[])
}
if (clearopt != NULL) {
+ int mnr;
+
+ /* Check if anchor exists. */
+ if ((pfctl_get_rulesets(pfh, anchorname, &mnr)) == ENOENT)
+ errx(1, "No such anchor %s", anchorname);
+
switch (*clearopt) {
case 'e':
pfctl_flush_eth_rules(dev, opts, anchorname);
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-12 01:07:36 +0000