svn commit: r334726 - in head: etc/rc.d sbin/pfctl

Wed Jun 6 19:36:39 UTC 2018

Author: kp
Date: Wed Jun  6 19:36:37 2018
New Revision: 334726
URL: https://svnweb.freebsd.org/changeset/base/334726

Log:
  pf: Return non-zero from 'status' if pf is not enabled
  
  In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf
  onestatus` always provided an exit status of zero. This made it fiddly to
  programmatically determine if pf was running or not.
  
  Return a non-zero status if the pf module is not loaded, extend pfctl to have
  an option to return an error status if pf is not enabled.
  
  PR:		228632
  Submitted by:	James Park-Watt <jimmypw AT gmail.com>
  MFC after:	1 week

Modified:
  head/etc/rc.d/pf
  head/sbin/pfctl/pfctl.8
  head/sbin/pfctl/pfctl.c
  head/sbin/pfctl/pfctl_parser.c
  head/sbin/pfctl/pfctl_parser.h

Modified: head/etc/rc.d/pf
==============================================================================

--- head/etc/rc.d/pf	Wed Jun  6 19:27:06 2018	(r334725)
+++ head/etc/rc.d/pf	Wed Jun  6 19:36:37 2018	(r334726)
@@ -66,8 +66,10 @@ pf_status()
 {
 	if ! [ -c /dev/pf ] ; then
 		echo "pf.ko is not loaded"
+		return 1
 	else
 		$pf_program -s info
+		$pf_program -s Running >/dev/null
 	fi
 }
 

Modified: head/sbin/pfctl/pfctl.8
==============================================================================
--- head/sbin/pfctl/pfctl.8	Wed Jun  6 19:27:06 2018	(r334725)
+++ head/sbin/pfctl/pfctl.8	Wed Jun  6 19:36:37 2018	(r334726)
@@ -412,6 +412,8 @@ Show filter information (statistics and counters).
 When used together with
 .Fl v ,
 source tracking statistics are also shown.
+.It Fl s Cm Running
+Show the running status and provide a non-zero exit status when disabled.
 .It Fl s Cm labels
 Show per-rule statistics (label, evaluations, packets total, bytes total,
 packets in, bytes in, packets out, bytes out, state creations) of

Modified: head/sbin/pfctl/pfctl.c
==============================================================================
--- head/sbin/pfctl/pfctl.c	Wed Jun  6 19:27:06 2018	(r334725)
+++ head/sbin/pfctl/pfctl.c	Wed Jun  6 19:36:37 2018	(r334726)
@@ -96,6 +96,7 @@ int	 pfctl_show_nat(int, int, char *);
 int	 pfctl_show_src_nodes(int, int);
 int	 pfctl_show_states(int, const char *, int);
 int	 pfctl_show_status(int, int);
+int	 pfctl_show_running(int);
 int	 pfctl_show_timeouts(int, int);
 int	 pfctl_show_limits(int, int);
 void	 pfctl_debug(int, u_int32_t, int);
@@ -217,7 +218,7 @@ static const char * const clearopt_list[] = {
 static const char * const showopt_list[] = {
 	"nat", "queue", "rules", "Anchors", "Sources", "states", "info",
 	"Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
-	"all", NULL
+	"Running", "all", NULL
 };
 
 static const char * const tblcmdopt_list[] = {
@@ -1155,6 +1156,20 @@ pfctl_show_status(int dev, int opts)
 }
 
 int
+pfctl_show_running(int dev)
+{
+	struct pf_status status;
+
+	if (ioctl(dev, DIOCGETSTATUS, &status)) {
+		warn("DIOCGETSTATUS");
+		return (-1);
+	}
+
+	print_running(&status);
+	return (!status.running);
+}
+
+int
 pfctl_show_timeouts(int dev, int opts)
 {
 	struct pfioc_tm pt;
@@ -2273,6 +2288,9 @@ main(int argc, char *argv[])
 			break;
 		case 'i':
 			pfctl_show_status(dev, opts);
+			break;
+		case 'R':
+			error = pfctl_show_running(dev);
 			break;
 		case 't':
 			pfctl_show_timeouts(dev, opts);

Modified: head/sbin/pfctl/pfctl_parser.c
==============================================================================
--- head/sbin/pfctl/pfctl_parser.c	Wed Jun  6 19:27:06 2018	(r334725)
+++ head/sbin/pfctl/pfctl_parser.c	Wed Jun  6 19:36:37 2018	(r334726)
@@ -615,6 +615,12 @@ print_status(struct pf_status *s, int opts)
 }
 
 void
+print_running(struct pf_status *status)
+{
+	printf("%s\n", status->running ? "Enabled" : "Disabled");
+}
+
+void
 print_src_node(struct pf_src_node *sn, int opts)
 {
 	struct pf_addr_wrap aw;

Modified: head/sbin/pfctl/pfctl_parser.h
==============================================================================
--- head/sbin/pfctl/pfctl_parser.h	Wed Jun  6 19:27:06 2018	(r334725)
+++ head/sbin/pfctl/pfctl_parser.h	Wed Jun  6 19:36:37 2018	(r334726)
@@ -257,6 +257,7 @@ void	print_src_node(struct pf_src_node *, int);
 void	print_rule(struct pf_rule *, const char *, int, int);
 void	print_tabledef(const char *, int, int, struct node_tinithead *);
 void	print_status(struct pf_status *, int);
+void	print_running(struct pf_status *);
 
 int	eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
 	    struct node_queue_opt *);
