diff --git a/etc/rc.d/pf b/etc/rc.d/pf index 5bd67e600fa4..57de19218fcf 100755 --- a/etc/rc.d/pf +++ b/etc/rc.d/pf @@ -66,8 +66,10 @@ pf_status() { if ! [ -c /dev/pf ] ; then echo "pf.ko is not loaded" + return 1 else $pf_program -s info + $pf_program -s Running >/dev/null fi } diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 07e99ae9f4df..f12489d9493a 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -412,6 +412,8 @@ Show filter information (statistics and counters). When used together with .Fl v , source tracking statistics are also shown. +.It Fl s Cm Running +Show the running status and provide a non-zero exit status when disabled. .It Fl s Cm labels Show per-rule statistics (label, evaluations, packets total, bytes total, packets in, bytes in, packets out, bytes out, state creations) of diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 98564ab1ca33..6388db90d97d 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -96,6 +96,7 @@ int pfctl_show_nat(int, int, char *); int pfctl_show_src_nodes(int, int); int pfctl_show_states(int, const char *, int); int pfctl_show_status(int, int); +int pfctl_show_running(int); int pfctl_show_timeouts(int, int); int pfctl_show_limits(int, int); void pfctl_debug(int, u_int32_t, int); @@ -217,7 +218,7 @@ static const char * const clearopt_list[] = { static const char * const showopt_list[] = { "nat", "queue", "rules", "Anchors", "Sources", "states", "info", "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp", - "all", NULL + "Running", "all", NULL }; static const char * const tblcmdopt_list[] = { @@ -1154,6 +1155,20 @@ pfctl_show_status(int dev, int opts) return (0); } +int +pfctl_show_running(int dev) +{ + struct pf_status status; + + if (ioctl(dev, DIOCGETSTATUS, &status)) { + warn("DIOCGETSTATUS"); + return (-1); + } + + print_running(&status); + return (!status.running); +} + int pfctl_show_timeouts(int dev, int opts) { @@ -2274,6 +2289,9 @@ main(int argc, char *argv[]) case 'i': pfctl_show_status(dev, opts); break; + case 'R': + error = pfctl_show_running(dev); + break; case 't': pfctl_show_timeouts(dev, opts); break; diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 7786061839c9..d3ac9506ac35 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -614,6 +614,12 @@ print_status(struct pf_status *s, int opts) } } +void +print_running(struct pf_status *status) +{ + printf("%s\n", status->running ? "Enabled" : "Disabled"); +} + void print_src_node(struct pf_src_node *sn, int opts) { diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index e652c97cf203..a97859edcc3b 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -257,6 +257,7 @@ void print_src_node(struct pf_src_node *, int); void print_rule(struct pf_rule *, const char *, int, int); void print_tabledef(const char *, int, int, struct node_tinithead *); void print_status(struct pf_status *, int); +void print_running(struct pf_status *); int eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *, struct node_queue_opt *);