From 7296d6c9bf670dc48c14ec2dff9eb3a044f12c5e Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Fri, 19 Apr 2019 10:52:54 +0000
Subject: [PATCH] pfctl: Fix ifgroup check

We cannot just assume that any name which ends with a letter is a group
That's not been true since we allowed renaming of network interfaces. It's also
not true for things like epair0a.

Try to retrieve the group members for the name to check, since we'll get ENOENT
if the group doesn't exist.

MFC after:	1 week
Event:		Aberdeen hackathon 2019
---
 sbin/pfctl/pfctl_optimize.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c
index 7d4381d39524..599ed2424ebf 100644
--- a/sbin/pfctl/pfctl_optimize.c
+++ b/sbin/pfctl/pfctl_optimize.c
@@ -1500,14 +1500,24 @@ superblock_inclusive(struct superblock *block, struct pf_opt_rule *por)
 int
 interface_group(const char *ifname)
 {
+	int			s;
+	struct ifgroupreq	ifgr;
+
 	if (ifname == NULL || !ifname[0])
 		return (0);
 
-	/* Real interfaces must end in a number, interface groups do not */
-	if (isdigit(ifname[strlen(ifname) - 1]))
-		return (0);
-	else
-		return (1);
+	s = get_query_socket();
+
+	memset(&ifgr, 0, sizeof(ifgr));
+	strlcpy(ifgr.ifgr_name, ifname, IFNAMSIZ);
+	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
+		if (errno == ENOENT)
+			return (0);
+		else
+			err(1, "SIOCGIFGMEMB");
+	}
+
+	return (1);
 }