pfctl: restore '-Tload -f pf.conf' functionality

Allow only tables to be loaded from a file, rather than everything (i.e.
including options, rules).

Add a test case for this.

PR:		291318
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2025-12-01 16:05:09 +01:00
parent d6f1acf94d
commit 7a283c4018
2 changed files with 37 additions and 1 deletions
+2 -1
View File
@@ -3406,7 +3406,8 @@ main(int argc, char *argv[])
if ((opts & PF_OPT_NODNS) && (opts & PF_OPT_USEDNS))
errx(1, "-N and -r are mutually exclusive");
if ((tblcmdopt == NULL) ^ (tableopt == NULL))
if ((tblcmdopt == NULL) ^ (tableopt == NULL) &&
(tblcmdopt == NULL || *tblcmdopt != 'l'))
usage();
if (tblcmdopt != NULL) {
+35
View File
@@ -808,6 +808,40 @@ replace_cleanup()
pft_cleanup
}
atf_test_case "load" "cleanup"
load_head()
{
atf_set descr 'Test pfctl -T load (PR 291318)'
atf_set require.user root
}
load_body()
{
pft_init
epair_send=$(vnet_mkepair)
ifconfig ${epair_send}a 192.0.2.1/24 up
vnet_mkjail alcatraz ${epair_send}b
jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up
jexec alcatraz pfctl -e
echo -e "table <private> persist { 172.16/12 }\nblock\npass in from <private>\n" \
| atf_check -s exit:0 jexec alcatraz pfctl -Tload -f -
atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
atf_check -s exit:0 -o not-match:"block" \
jexec alcatraz pfctl -sr
atf_check -s exit:0 -o match:'172.16.0.0/12' \
jexec alcatraz pfctl -Tshow -t private
}
load_cleanup()
{
pft_cleanup
}
atf_init_test_cases()
{
atf_add_test_case "v4_counters"
@@ -827,4 +861,5 @@ atf_init_test_cases()
atf_add_test_case "show_recursive"
atf_add_test_case "in_anchor"
atf_add_test_case "replace"
atf_add_test_case "load"
}