5 files changed, 23 insertions, 22 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0f7702fc4630..127e2c257d69 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -6246,7 +6246,7 @@ check_binat_redirspec(struct node_host *src_host, struct pfctl_rule *r,
 	}
 	if (PF_AZERO(&r->src.addr.v.a.mask, af) ||
 	    PF_AZERO(&(nat_pool->addr.v.a.mask), af)) {
-		yyerror ("source and redir addresess must have "
+		yyerror ("source and redir addresses must have "
 		    "a matching network mask in binat-rule");
 		error++;
 	}
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 21562fa03e0d..02d6c9c84a32 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2183,6 +2183,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
 {
 	u_int8_t		rs_num = pf_get_ruleset_number(r->action);
 	char			*name;
+	uint32_t		ticket;
 	char			anchor[PF_ANCHOR_NAME_SIZE];
 	int			len = strlen(path);
 	int			error;
@@ -2192,7 +2193,9 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
 	if ((pf->opts & PF_OPT_NOACTION) == 0) {
 		if (pf->trans == NULL)
 			errx(1, "pfctl_load_rule: no transaction");
-		pf->anchor->ruleset.tticket = pfctl_get_ticket(pf->trans, rs_num, path);
+		ticket = pfctl_get_ticket(pf->trans, rs_num, path);
+		if (rs_num == PF_RULESET_FILTER)
+			 pf->anchor->ruleset.tticket = ticket;
 	}
 	if (strlcpy(anchor, path, sizeof(anchor)) >= sizeof(anchor))
 		errx(1, "pfctl_load_rule: strlcpy");
@@ -2225,7 +2228,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
 			return (1);
 		if (pfctl_add_pool(pf, &r->route, PF_RT))
 			return (1);
-		error = pfctl_add_rule_h(pf->h, r, anchor, name, pf->anchor->ruleset.tticket,
+		error = pfctl_add_rule_h(pf->h, r, anchor, name, ticket,
 		    pf->paddr.ticket);
 		switch (error) {
 		case 0:
@@ -2615,6 +2618,8 @@ pfctl_apply_limit(struct pfctl *pf, const char *opt, unsigned int limit)
 int
 pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
 {
+	static int restore_limit_handler_armed = 0;
+
 	if (pfctl_set_limit(pf->h, index, limit)) {
 		if (errno == EBUSY)
 			warnx("Current pool size exceeds requested %s limit %u",
@@ -2623,6 +2628,9 @@ pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
 			warnx("Cannot set %s limit to %u",
 			    pf_limits[index].name, limit);
 		return (1);
+	} else if (restore_limit_handler_armed == 0) {
+		atexit(pfctl_restore_limits);
+		restore_limit_handler_armed = 1;
 	}
 	return (0);
 }
@@ -3164,10 +3172,7 @@ pfctl_show_eth_anchors(int dev, int opts, char *anchorname)
 	int ret;
 
 	if ((ret = pfctl_get_eth_rulesets_info(dev, &ri, anchorname)) != 0) {
-		if (ret == ENOENT)
-			fprintf(stderr, "Anchor '%s' not found.\n",
-			    anchorname);
-		else
+		if (ret != ENOENT)
 			errc(1, ret, "DIOCGETETHRULESETS");
 		return (-1);
 	}
@@ -3474,7 +3479,6 @@ main(int argc, char *argv[])
 
 	if ((opts & PF_OPT_NOACTION) == 0) {
 		pfctl_read_limits(pfh);
-		atexit(pfctl_restore_limits);
 	}
 
 	if (opts & PF_OPT_DISABLE)
@@ -3582,6 +3586,12 @@ main(int argc, char *argv[])
 	}
 
 	if (clearopt != NULL) {
+		int	 mnr;
+
+		/* Check if anchor exists. */
+		if ((pfctl_get_rulesets(pfh, anchorname, &mnr)) == ENOENT)
+			errx(1, "No such anchor %s", anchorname);
+
 		switch (*clearopt) {
 		case 'e':
 			pfctl_flush_eth_rules(dev, opts, anchorname);
diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h
index 136f51ea08f9..c540c6348d84 100644
--- a/sbin/pfctl/pfctl.h
+++ b/sbin/pfctl/pfctl.h
@@ -110,7 +110,7 @@ int	 pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, int);
 int	 pfr_clr_addrs(struct pfr_table *, int *, int);
 int	 pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *, int);
 int	 pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *, int);
-int	 pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
+int	 pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int,
 	    int *, int *, int *, int);
 int	 pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
 int	 pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
diff --git a/sbin/pfctl/pfctl_radix.c b/sbin/pfctl/pfctl_radix.c
index 98f907738d95..3b7161420e33 100644
--- a/sbin/pfctl/pfctl_radix.c
+++ b/sbin/pfctl/pfctl_radix.c
@@ -163,11 +163,11 @@ pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
 
 int
 pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
-    int *size2, int *nadd, int *ndel, int *nchange, int flags)
+    int *nadd, int *ndel, int *nchange, int flags)
 {
 	int ret;
 
-	ret = pfctl_table_set_addrs(dev, tbl, addr, size, size2, nadd, ndel,
+	ret = pfctl_table_set_addrs_h(pfh, tbl, addr, size, nadd, ndel,
 	    nchange, flags);
 	if (ret) {
 		errno = ret;
diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index 4955e1791fd7..aae347712547 100644
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c
@@ -236,17 +236,8 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
 		CREATE_TABLE;
 		if (opts & PF_OPT_VERBOSE)
 			flags |= PFR_FLAG_FEEDBACK;
-		for (;;) {
-			int sz2 = b.pfrb_msize;
-
-			RVTEST(pfr_set_addrs(&table, b.pfrb_caddr, b.pfrb_size,
-			    &sz2, &nadd, &ndel, &nchange, flags));
-			if (sz2 <= b.pfrb_msize) {
-				b.pfrb_size = sz2;
-				break;
-			} else
-				pfr_buf_grow(&b, sz2);
-		}
+		RVTEST(pfr_set_addrs(&table, b.pfrb_caddr, b.pfrb_size,
+		    &nadd, &ndel, &nchange, flags));
 		if (nadd)
 			xprintf(opts, "%d addresses added", nadd);
 		if (ndel)