pfctl: Fix ifgroup check

We cannot just assume that any name which ends with a letter is a group That's not been true since we allowed renaming of network interfaces. It's also not true for things like epair0a. Try to retrieve the group members for the name to check, since we'll get ENOENT if the group doesn't exist. MFC after: 1 week Event: Aberdeen hackathon 2019
svn path=/head/; revision=346370
2019-04-19 10:52:54 +00:00 · 2019-04-19 10:52:54 +00:00 · 7296d6c9bf · 2020-12-20 02:59:44 +00:00
commit 7296d6c9bf
parent 5ddaf8458e
1 changed files with 15 additions and 5 deletions
--- a/sbin/pfctl/pfctl_optimize.c
+++ b/sbin/pfctl/pfctl_optimize.c
@ -1500,14 +1500,24 @@ superblock_inclusive(struct superblock *block, struct pf_opt_rule *por)
 int
 interface_group(const char *ifname)
 {
+	int			s;
+	struct ifgroupreq	ifgr;
+
 	if (ifname == NULL || !ifname[0])
 		return (0);

-	/* Real interfaces must end in a number, interface groups do not */
-	if (isdigit(ifname[strlen(ifname) - 1]))
-		return (0);
-	else
-		return (1);
+	s = get_query_socket();
+
+	memset(&ifgr, 0, sizeof(ifgr));
+	strlcpy(ifgr.ifgr_name, ifname, IFNAMSIZ);
+	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
+		if (errno == ENOENT)
+			return (0);
+		else
+			err(1, "SIOCGIFGMEMB");
+	}
+
+	return (1);
 }