diff options
| author |   kn <kn@openbsd.org> | 2019-04-18 22:29:41 +0000 |
|---|---|---|
| committer | kn <kn@openbsd.org> | 2019-04-18 22:29:41 +0000 |
| commit | 898866c293b8a3d1c25a9654c74fcab7bb725e3b (patch) | |
| tree | 78266c3554c94a0a760cf2c5ff8ad1deb621be3f | |
| parent | Fix table definition parsing as unprivileged user (diff) | |
| download | wireguard-openbsd-898866c293b8a3d1c25a9654c74fcab7bb725e3b.tar.xz wireguard-openbsd-898866c293b8a3d1c25a9654c74fcab7bb725e3b.zip | |
Always check for namespace collisions on table commands
`-t table -T add|replace ...' would only check for duplicate tables in case
addresses where actually to the table.
Instead of using a positive number of added addresses as prove for
successful table operations, rely on the fact that CREATE_TABLE() is
guaranteed to be called only if pf(4) can be accessed, that is
warn_duplicate_tables() will return.
This improves duplicate detection rate as warnings are now also emitted
even when table commands eventually leave tables unchanged.
OK benno sashan
| -rw-r--r-- | sbin/pfctl/pfctl_table.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c index 6ed4024da4e..9507418644e 100644 --- a/sbin/pfctl/pfctl_table.c +++ b/sbin/pfctl/pfctl_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_table.c,v 1.80 2019/01/11 01:56:54 kn Exp $ */ +/* $OpenBSD: pfctl_table.c,v 1.81 2019/04/18 22:29:41 kn Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -83,6 +83,8 @@ static const char *istats_text[2][2][2] = { } while (0) #define CREATE_TABLE do { \ + warn_duplicate_tables(table.pfrt_name, \ + table.pfrt_anchor); \ table.pfrt_flags |= PFR_TFLAG_PERSIST; \ if ((!(opts & PF_OPT_NOACTION) || \ (opts & PF_OPT_DUMMYACTION)) && \ @@ -92,8 +94,6 @@ static const char *istats_text[2][2][2] = { goto _error; \ } \ if (nadd) { \ - warn_duplicate_tables(table.pfrt_name, \ - table.pfrt_anchor); \ xprintf(opts, "%d table created", nadd); \ if (opts & PF_OPT_NOACTION) \ return (0); \ |