Defuse `-F all -i interface'

Flushing all filter parameters does not make sense on one specific
interface only as already noted.  However, the main ruleset as well as
all tables were still cleared on such invalid usage.

Furthermore, an empty interface name was treated like no interface at
all, hence source tracking entries, statistics and interface flags were
cleared also.

Immediately error out if `-i' is given regardless of its argument before
flushing anything.

OK sashan

1 files changed, 4 insertions, 4 deletions

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 362fc58e7b8..d9d0a9b42d4 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.c,v 1.364 2019/01/11 01:56:54 kn Exp $ */
+/*	$OpenBSD: pfctl.c,v 1.365 2019/01/11 03:09:24 kn Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -2626,13 +2626,13 @@ main(int argc, char *argv[])
 			pfctl_clear_stats(dev, ifaceopt, opts);
 			break;
 		case 'a':
-			pfctl_clear_tables(anchorname, opts);
-			pfctl_clear_rules(dev, opts, anchorname);
-			if (ifaceopt && *ifaceopt) {
+			if (ifaceopt) {
 				warnx("don't specify an interface with -Fall");
 				usage();
 				/* NOTREACHED */
 			}
+			pfctl_clear_tables(anchorname, opts);
+			pfctl_clear_rules(dev, opts, anchorname);
 			if (!*anchorname) {
 				pfctl_clear_states(dev, ifaceopt, opts);
 				pfctl_clear_src_nodes(dev, opts);