pf: Return non-zero from 'status' if pf is not enabled

In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf onestatus` always provided an exit status of zero. This made it fiddly to programmatically determine if pf was running or not. Return a non-zero status if the pf module is not loaded, extend pfctl to have an option to return an error status if pf is not enabled. PR: 228632 Submitted by: James Park-Watt <jimmypw AT gmail.com> MFC after: 1 week
2018-06-06 19:36:37 +00:00 · 2018-06-06 19:36:37 +00:00 · 86ab05f953
commit 86ab05f953
parent a14ea730b6
5 changed files with 30 additions and 1 deletions
--- a/etc/rc.d/pf
+++ b/etc/rc.d/pf
@ -66,8 +66,10 @@ pf_status()
 {
 	if ! [ -c /dev/pf ] ; then
 		echo "pf.ko is not loaded"
+		return 1
 	else
 		$pf_program -s info
+		$pf_program -s Running >/dev/null
 	fi
 }

--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@ -412,6 +412,8 @@ Show filter information (statistics and counters).
 When used together with
 .Fl v ,
 source tracking statistics are also shown.
+.It Fl s Cm Running
+Show the running status and provide a non-zero exit status when disabled.
 .It Fl s Cm labels
 Show per-rule statistics (label, evaluations, packets total, bytes total,
 packets in, bytes in, packets out, bytes out, state creations) of
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@ -96,6 +96,7 @@ int	 pfctl_show_nat(int, int, char *);
 int	 pfctl_show_src_nodes(int, int);
 int	 pfctl_show_states(int, const char *, int);
 int	 pfctl_show_status(int, int);
+int	 pfctl_show_running(int);
 int	 pfctl_show_timeouts(int, int);
 int	 pfctl_show_limits(int, int);
 void	 pfctl_debug(int, u_int32_t, int);
@ -217,7 +218,7 @@ static const char * const clearopt_list[] = {
 static const char * const showopt_list[] = {
 	"nat", "queue", "rules", "Anchors", "Sources", "states", "info",
 	"Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
-	"all", NULL
+	"Running", "all", NULL
 };

 static const char * const tblcmdopt_list[] = {
@ -1154,6 +1155,20 @@ pfctl_show_status(int dev, int opts)
 	return (0);
 }

+int
+pfctl_show_running(int dev)
+{
+	struct pf_status status;
+
+	if (ioctl(dev, DIOCGETSTATUS, &status)) {
+		warn("DIOCGETSTATUS");
+		return (-1);
+	}
+
+	print_running(&status);
+	return (!status.running);
+}
+
 int
 pfctl_show_timeouts(int dev, int opts)
 {
@ -2274,6 +2289,9 @@ main(int argc, char *argv[])
 		case 'i':
 			pfctl_show_status(dev, opts);
 			break;
+		case 'R':
+			error = pfctl_show_running(dev);
+			break;
 		case 't':
 			pfctl_show_timeouts(dev, opts);
 			break;
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@ -614,6 +614,12 @@ print_status(struct pf_status *s, int opts)
 	}
 }

+void
+print_running(struct pf_status *status)
+{
+	printf("%s\n", status->running ? "Enabled" : "Disabled");
+}
+
 void
 print_src_node(struct pf_src_node *sn, int opts)
 {
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@ -257,6 +257,7 @@ void	print_src_node(struct pf_src_node *, int);
 void	print_rule(struct pf_rule *, const char *, int, int);
 void	print_tabledef(const char *, int, int, struct node_tinithead *);
 void	print_status(struct pf_status *, int);
+void	print_running(struct pf_status *);

 int	eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
 	    struct node_queue_opt *);