git: e86bddea9fe6 - main - pf: Split pf_rule into kernel and user space versions
Kristof Provost
kp at FreeBSD.org
Thu Apr 29 15:19:03 UTC 2021
On 29 Apr 2021, at 17:14, Shawn Webb wrote:
> On Tue, Jan 05, 2021 at 10:37:54PM +0000, Kristof Provost wrote:
>> The branch main has been updated by kp:
>>
>> URL:
>> https://cgit.FreeBSD.org/src/commit/?id=e86bddea9fe62d5093a1942cf21950b3c5ca62e5
>>
>> commit e86bddea9fe62d5093a1942cf21950b3c5ca62e5
>> Author: Kristof Provost <kp at FreeBSD.org>
>> AuthorDate: 2020-12-05 13:32:54 +0000
>> Commit: Kristof Provost <kp at FreeBSD.org>
>> CommitDate: 2021-01-05 22:35:36 +0000
>>
>> pf: Split pf_rule into kernel and user space versions
>>
>> No functional change intended.
>>
>> MFC after: 2 weeks
>> Sponsored by: Orange Business Services
>> Differential Revision: https://reviews.freebsd.org/D27758
>
> Key Kristof,
>
> This commit breaks the security/expiretable port. Specifically, the
> guarding of the pf_state struct, which expiretable uses directly.
>
Yeah, it’s come up before:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253547
Tl;dr: The expiretable port used a struct it should not have been using.
That part of the code never[*] worked, but it’s not actually used
anyway. Renato has a patch to fix the port by simply deleting the
offending code.
Best regards,
Kristof
[*] Not in recent memory anyway. At least since 2012. That’s when the
pf code was moved around in the tree and I’ve not dug further to see
when this started to be wrong.
More information about the dev-commits-src-main
mailing list