# pfctl -t nonexistant -T show > /dev/null 2>&1
# echo $?
255
# pfctl -t bruteforce -T show > /dev/null 2>&1
# echo $?
0
#
-s Tables Show the list of tables
Agree that there is a system flaw. pf as a solution is actually focused only on manual maintenance - it does not have any API.As far as I can tell there's no specific pfctl(8) command that only checks the existence of a table. So the easiest solution is just to 'show' the table and checking the return code if it succeeded or not. If it's successful (return code 0) then the table exists.
#!/bin/sh
# Checks for existence of the table "$1" (including attached to anchors)
# Exit codes : 0=Found ; 1=Not found
pfctl -gs Tables | ! awk "/^$1\$/{exit 1}"
The ioctl interface very much is an API.Agree that there is a system flaw. pf as a solution is actually focused only on manual maintenance - it does not have any API.
The ioctl interface is essentially stable. It sometimes gets extended, but we basically never deliberately break it. Certainly not outside of major version upgrades.Probably we can say that there is some kind of lower-level API - you can enter information in data structures and call ioctl's.
However, it will be necessary to constantly ensure that nothing has changed there, otherwise this fairly correct method will stop working. And, unexpectedly.
https://cgit.freebsd.org/src/tree/lib/libpfctl is incomplete, but is being extended as we go.I believe that need some kind of API that is logically linked to the functionality of pfctl. And pfctl should be based on it - this ensures that if there are changes, the API will be adjusted at the same time.
Thank you! In fact, this is what I was looking for!https://cgit.freebsd.org/src/tree/lib/libpfctl is incomplete, but is being extended as we go.
BROKEN_FreeBSD_12= Will not work until nvlist-ified ioctls are available
BROKEN_FreeBSD_13= Will not work until nvlist-ified ioctls are available
Tell me, please, where are defined DIOCGETETHRULESETS, DIOCGETETHRULESET, DIOCGETETHRULES, DIOCGETETHRULE, DIOCADDETHRULE and PF_RULESET_ETH? They are used in your library but are not defined in the header file.https://cgit.freebsd.org/src/tree/lib/libpfctl is incomplete, but is being extended as we go.
Tell me, please, where are defined DIOCGETETHRULESETS, DIOCGETETHRULESET, DIOCGETETHRULES, DIOCGETETHRULE, DIOCADDETHRULE and PF_RULESET_ETH? They are used in your library but are not defined in the header file.
(kp@juno) ~/proj/reference/freebsd(git)-[main] % grep -r DIOCGETETHRULESETS . [21:06]
./sbin/pfctl/pfctl.c: warn("DIOCGETETHRULESETS");
./sbin/pfctl/pfctl.c: err(1, "DIOCGETETHRULESETS");
./sys/net/pfvar.h:#define DIOCGETETHRULESETS _IOWR('D', 100, struct pfioc_nv)
^C
Oddly enough, on my machine there are no such definitions in /usr/include/net/pfvar.h and /usr/src/sys/net/pfvar.h.(kp@juno) ~/proj/reference/freebsd(git)-[main] % grep -r DIOCGETETHRULESETS . [21:06]
./sbin/pfctl/pfctl.c: warn("DIOCGETETHRULESETS");
./sbin/pfctl/pfctl.c: err(1, "DIOCGETETHRULESETS");
./sys/net/pfvar.h:#define DIOCGETETHRULESETS _IOWR('D', 100, struct pfioc_nv)
^C
You have an outdated source tree. Get the latest source from https://cgit.freebsd.org/src/Oddly enough, on my machine there are no such definitions in /usr/include/net/pfvar.h and /usr/src/sys/net/pfvar.h.
Where can one get such files?
Thanks to. If you take the pfvar.h file from this repository, then the necessary definitions are present in it.You have an outdated source tree. Get the latest source from https://cgit.freebsd.org/src/
#ifndef PF_RULESET_ETH
#define PF_RULESET_ETH (PF_RULESET_MAX+2)
#endif
#ifndef DIOCADDETHRULE
#define DIOCADDETHRULE _IOWR('D', 97, struct pfioc_nv)
#endif
#ifndef DIOCGETETHRULE
#define DIOCGETETHRULE _IOWR('D', 98, struct pfioc_nv)
#endif
#ifndef DIOCGETETHRULES
#define DIOCGETETHRULES _IOWR('D', 99, struct pfioc_nv)
#endif
#ifndef DIOCGETETHRULESETS
#define DIOCGETETHRULESETS _IOWR('D', 100, struct pfioc_nv)
#endif
#ifndef DIOCGETETHRULESET
#define DIOCGETETHRULESET _IOWR('D', 101, struct pfioc_nv)
#endif