PF Сheck for table existence from application

Colleagues, please tell me the easiest way, from the application, to find out if there is a table with the specified name in pf? Do not get the contents of the table, but make sure it exists.

Grateful for the replies,
Ogogon.
 
You can use simple code to "grep" output

Code:
# pfctl -t non_existent_table -T show | head -1
pfctl: Table does not exist.
# pfctl -t good_table -T show | head -1
 2.2.2.2
 

SirDice

Administrator
Staff member
Administrator
Moderator
Or look at the return code.

Code:
# pfctl -t nonexistant -T show > /dev/null 2>&1
# echo $?
255
# pfctl -t bruteforce -T show > /dev/null 2>&1
# echo $?
0
#

As far as I can tell there's no specific pfctl(8) command that only checks the existence of a table. So the easiest solution is just to 'show' the table and checking the return code if it succeeded or not. If it's successful (return code 0) then the table exists.
 

SirDice

Administrator
Staff member
Administrator
Moderator
Yeah, looked at that, but you would have to parse the output to figure out if a specific table exists or not. Parsing command output can be quite finicky and error-prone.
 
As far as I can tell there's no specific pfctl(8) command that only checks the existence of a table. So the easiest solution is just to 'show' the table and checking the return code if it succeeded or not. If it's successful (return code 0) then the table exists.
Agree that there is a system flaw. pf as a solution is actually focused only on manual maintenance - it does not have any API.
Probably we can say that there is some kind of lower-level API - you can enter information in data structures and call ioctl's.
However, it will be necessary to constantly ensure that nothing has changed there, otherwise this fairly correct method will stop working. And, unexpectedly.
I believe that need some kind of API that is logically linked to the functionality of pfctl. And pfctl should be based on it - this ensures that if there are changes, the API will be adjusted at the same time.
 
Bash:
#!/bin/sh
# Checks for existence of the table "$1" (including attached to anchors)
# Exit codes : 0=Found ; 1=Not found
pfctl -gs Tables | ! awk "/^$1\$/{exit 1}"
 
Agree that there is a system flaw. pf as a solution is actually focused only on manual maintenance - it does not have any API.
The ioctl interface very much is an API.
It's also documented in pf(4)

Probably we can say that there is some kind of lower-level API - you can enter information in data structures and call ioctl's.
However, it will be necessary to constantly ensure that nothing has changed there, otherwise this fairly correct method will stop working. And, unexpectedly.
The ioctl interface is essentially stable. It sometimes gets extended, but we basically never deliberately break it. Certainly not outside of major version upgrades.

I believe that need some kind of API that is logically linked to the functionality of pfctl. And pfctl should be based on it - this ensures that if there are changes, the API will be adjusted at the same time.
https://cgit.freebsd.org/src/tree/lib/libpfctl is incomplete, but is being extended as we go.
 
https://cgit.freebsd.org/src/tree/lib/libpfctl is incomplete, but is being extended as we go.
Thank you! In fact, this is what I was looking for!

Also, there is an older version of this library in the /usr/ports. But it does not work with tables and is marked as broken.
Judging by the specified e-mail, you are the port maintainer. Maybe you will find some time and commit the latest version to the ports? I guess it will be good.
 
BROKEN_FreeBSD_12= Will not work until nvlist-ified ioctls are available
BROKEN_FreeBSD_13= Will not work until nvlist-ified ioctls are available

That port is waiting for the FreeBSD versions that predate the relevant calls to go out of support.
 
Tell me, please, where are defined DIOCGETETHRULESETS, DIOCGETETHRULESET, DIOCGETETHRULES, DIOCGETETHRULE, DIOCADDETHRULE and PF_RULESET_ETH? They are used in your library but are not defined in the header file.
(kp@juno) ~/proj/reference/freebsd(git)-[main] % grep -r DIOCGETETHRULESETS . [21:06]
./sbin/pfctl/pfctl.c: warn("DIOCGETETHRULESETS");
./sbin/pfctl/pfctl.c: err(1, "DIOCGETETHRULESETS");
./sys/net/pfvar.h:#define DIOCGETETHRULESETS _IOWR('D', 100, struct pfioc_nv)
^C
 
(kp@juno) ~/proj/reference/freebsd(git)-[main] % grep -r DIOCGETETHRULESETS . [21:06]
./sbin/pfctl/pfctl.c: warn("DIOCGETETHRULESETS");
./sbin/pfctl/pfctl.c: err(1, "DIOCGETETHRULESETS");
./sys/net/pfvar.h:#define DIOCGETETHRULESETS _IOWR('D', 100, struct pfioc_nv)
^C
Oddly enough, on my machine there are no such definitions in /usr/include/net/pfvar.h and /usr/src/sys/net/pfvar.h.
Where can one get such files?
 
You have an outdated source tree. Get the latest source from https://cgit.freebsd.org/src/
Thanks to. If you take the pfvar.h file from this repository, then the necessary definitions are present in it.
But on my development machine (FreeBSD 12.3-RELEASE-p5) this file is different and does not contain the specified definitions.
I had to make this file append.h
C:
#ifndef PF_RULESET_ETH
#define PF_RULESET_ETH          (PF_RULESET_MAX+2)
#endif

#ifndef DIOCADDETHRULE
#define DIOCADDETHRULE          _IOWR('D', 97, struct pfioc_nv)
#endif

#ifndef DIOCGETETHRULE
#define DIOCGETETHRULE          _IOWR('D', 98, struct pfioc_nv)
#endif

#ifndef DIOCGETETHRULES
#define DIOCGETETHRULES         _IOWR('D', 99, struct pfioc_nv)
#endif

#ifndef DIOCGETETHRULESETS
#define DIOCGETETHRULESETS      _IOWR('D', 100, struct pfioc_nv)
#endif

#ifndef DIOCGETETHRULESET
#define DIOCGETETHRULESET       _IOWR('D', 101, struct pfioc_nv)
#endif
After that, the library was compiled for me.

Do you have code examples using your library? I want to quickly check its work on my machine.
 
Top