pfctl: parser must not ignore error from pfctl_optimize_ruleset()

kprovost · kprovost · commit 343ace42f82a · 2026-03-22T04:47:37.000+01:00
Ignoring the error may cause pfctl(8) to load inconsistent ruleset preventing pf(4) to enforce desired policy. Issue reported and fix suggested by berts _from_ fastmail _dot_ com 'Looks good.' @deraadt MFC after: 1 week Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 9fd28a8cca Sponsored by: Rubicon Communications, LLC ("Netgate")
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
@@ -2513,8 +2513,9 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs,
 			printf("\n");
 	}
 
-	if (pf->optimize && rs_num == PF_RULESET_FILTER)
-		pfctl_optimize_ruleset(pf, rs);
+	if (pf->optimize && rs_num == PF_RULESET_FILTER &&
+	    (error = pfctl_optimize_ruleset(pf, rs)) != 0)
+		goto error;
 
 	while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
 		TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
