pfctl

Kristof Provost Wed, 13 Jun 2018 06:15:38 -0700

Author: kp
Date: Wed Jun 13 13:15:04 2018
New Revision: 335058
URL: https://svnweb.freebsd.org/changeset/base/335058


Log:
  MFC r334726:
  
  pf: Return non-zero from 'status' if pf is not enabled
  
  In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf
  onestatus` always provided an exit status of zero. This made it fiddly to
  programmatically determine if pf was running or not.
  
  Return a non-zero status if the pf module is not loaded, extend pfctl to have
  an option to return an error status if pf is not enabled.
  
  PR:           228632
  Submitted by: James Park-Watt <jimmypw AT gmail.com>

Modified:
  stable/11/etc/rc.d/pf
  stable/11/sbin/pfctl/pfctl.8
  stable/11/sbin/pfctl/pfctl.c
  stable/11/sbin/pfctl/pfctl_parser.c
  stable/11/sbin/pfctl/pfctl_parser.h
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/etc/rc.d/pf
==============================================================================
--- stable/11/etc/rc.d/pf       Wed Jun 13 12:44:45 2018        (r335057)
+++ stable/11/etc/rc.d/pf       Wed Jun 13 13:15:04 2018        (r335058)
@@ -66,8 +66,10 @@ pf_status()
 {
        if ! [ -c /dev/pf ] ; then
                echo "pf.ko is not loaded"
+               return 1
        else
                $pf_program -s info
+               $pf_program -s Running >/dev/null
        fi
 }
 

Modified: stable/11/sbin/pfctl/pfctl.8
==============================================================================
--- stable/11/sbin/pfctl/pfctl.8        Wed Jun 13 12:44:45 2018        
(r335057)
+++ stable/11/sbin/pfctl/pfctl.8        Wed Jun 13 13:15:04 2018        
(r335058)
@@ -412,6 +412,8 @@ Show filter information (statistics and counters).
 When used together with
 .Fl v ,
 source tracking statistics are also shown.
+.It Fl s Cm Running
+Show the running status and provide a non-zero exit status when disabled.
 .It Fl s Cm labels
 Show per-rule statistics (label, evaluations, packets total, bytes total,
 packets in, bytes in, packets out, bytes out, state creations) of

Modified: stable/11/sbin/pfctl/pfctl.c
==============================================================================
--- stable/11/sbin/pfctl/pfctl.c        Wed Jun 13 12:44:45 2018        
(r335057)
+++ stable/11/sbin/pfctl/pfctl.c        Wed Jun 13 13:15:04 2018        
(r335058)
@@ -96,6 +96,7 @@ int    pfctl_show_nat(int, int, char *);
 int     pfctl_show_src_nodes(int, int);
 int     pfctl_show_states(int, const char *, int);
 int     pfctl_show_status(int, int);
+int     pfctl_show_running(int);
 int     pfctl_show_timeouts(int, int);
 int     pfctl_show_limits(int, int);
 void    pfctl_debug(int, u_int32_t, int);
@@ -217,7 +218,7 @@ static const char *clearopt_list[] = {
 static const char *showopt_list[] = {
        "nat", "queue", "rules", "Anchors", "Sources", "states", "info",
        "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
-       "all", NULL
+       "Running", "all", NULL
 };
 
 static const char *tblcmdopt_list[] = {
@@ -1155,6 +1156,20 @@ pfctl_show_status(int dev, int opts)
 }
 
 int
+pfctl_show_running(int dev)
+{
+       struct pf_status status;
+
+       if (ioctl(dev, DIOCGETSTATUS, &status)) {
+               warn("DIOCGETSTATUS");
+               return (-1);
+       }
+
+       print_running(&status);
+       return (!status.running);
+}
+
+int
 pfctl_show_timeouts(int dev, int opts)
 {
        struct pfioc_tm pt;
@@ -2271,6 +2286,9 @@ main(int argc, char *argv[])
                        break;
                case 'i':
                        pfctl_show_status(dev, opts);
+                       break;
+               case 'R':
+                       error = pfctl_show_running(dev);
                        break;
                case 't':
                        pfctl_show_timeouts(dev, opts);

Modified: stable/11/sbin/pfctl/pfctl_parser.c
==============================================================================
--- stable/11/sbin/pfctl/pfctl_parser.c Wed Jun 13 12:44:45 2018        
(r335057)
+++ stable/11/sbin/pfctl/pfctl_parser.c Wed Jun 13 13:15:04 2018        
(r335058)
@@ -615,6 +615,12 @@ print_status(struct pf_status *s, int opts)
 }
 
 void
+print_running(struct pf_status *status)
+{
+       printf("%s\n", status->running ? "Enabled" : "Disabled");
+}
+
+void
 print_src_node(struct pf_src_node *sn, int opts)
 {
        struct pf_addr_wrap aw;

Modified: stable/11/sbin/pfctl/pfctl_parser.h
==============================================================================
--- stable/11/sbin/pfctl/pfctl_parser.h Wed Jun 13 12:44:45 2018        
(r335057)
+++ stable/11/sbin/pfctl/pfctl_parser.h Wed Jun 13 13:15:04 2018        
(r335058)
@@ -257,6 +257,7 @@ void        print_src_node(struct pf_src_node *, int);
 void   print_rule(struct pf_rule *, const char *, int, int);
 void   print_tabledef(const char *, int, int, struct node_tinithead *);
 void   print_status(struct pf_status *, int);
+void   print_running(struct pf_status *);
 
 int    eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
            struct node_queue_opt *);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r335058 - in stable/11: etc/rc.d sbin/pfctl

Reply via email to