Bug 228632

Summary: /etc/rc.d/pf returns incorrect exit status.
Product: Base System Reporter: James Park-Watt <jimmypw>
Component: miscAssignee: Kristof Provost <kp>
Status: Closed FIXED    
Severity: Affects Some People CC: emaste, kp
Priority: ---    
Version: 11.1-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
pf exit status patch none

Description James Park-Watt 2018-05-31 11:27:24 UTC 
Overview:

In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf onestatus` always provides an exit status of 0. This makes it fiddly to programmatically determine if pf is running or not. 

To Reproduce:

Run `/etc/rc.d/pf onestatus` at any point before pf has been started for the first time or after the service has been stopped.

Actual Results:

Case 1) (When module not loaded)
# service pf onestatus
pf.ko is not loaded
# echo $?
0

Case 2) (When module is loaded but the status is disabled)
# service pf onestatus
Status: Disabled for 0 days 00:01:48          Debug: Urgent

State Table                          Total             Rate
  current entries                        0               
...snip...
# echo $?
0


Expected results:

`service pf onestatus; echo $?` should return a non-zero exit status when the service is not running.


Additional information:

While returning a non-zero exit status in the instance where the pf module has not been loaded is a trivial modification to the init script. From what I can tell from pfctl(8) there is no functionality to provide an exit status reflecting the running state of pf.
Comment 1 James Park-Watt 2018-06-01 09:14:31 UTC 
Created attachment 193889 [details]
pf exit status patch

Attached is an indication of what might need to change in order to resolve this bug.
Comment 2 Kristof Provost freebsd_committer freebsd_triage 2018-06-01 09:22:24 UTC 
Thanks for the patch. From a quick look it seems like a reasonable approach.

I'll try to take a closer look (and commit it) in the next week or so. Feel free to chase me if I haven't done anything by the 12th or so.
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-06-06 19:36:53 UTC 
A commit references this bug:

Author: kp
Date: Wed Jun  6 19:36:38 UTC 2018
New revision: 334726
URL: https://svnweb.freebsd.org/changeset/base/334726

Log:
  pf: Return non-zero from 'status' if pf is not enabled

  In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf
  onestatus` always provided an exit status of zero. This made it fiddly to
  programmatically determine if pf was running or not.

  Return a non-zero status if the pf module is not loaded, extend pfctl to have
  an option to return an error status if pf is not enabled.

  PR:		228632
  Submitted by:	James Park-Watt <jimmypw AT gmail.com>
  MFC after:	1 week

Changes:
  head/etc/rc.d/pf
  head/sbin/pfctl/pfctl.8
  head/sbin/pfctl/pfctl.c
  head/sbin/pfctl/pfctl_parser.c
  head/sbin/pfctl/pfctl_parser.h
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-06-13 13:15:11 UTC 
A commit references this bug:

Author: kp
Date: Wed Jun 13 13:15:05 UTC 2018
New revision: 335058
URL: https://svnweb.freebsd.org/changeset/base/335058

Log:
  MFC r334726:

  pf: Return non-zero from 'status' if pf is not enabled

  In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf
  onestatus` always provided an exit status of zero. This made it fiddly to
  programmatically determine if pf was running or not.

  Return a non-zero status if the pf module is not loaded, extend pfctl to have
  an option to return an error status if pf is not enabled.

  PR:		228632
  Submitted by:	James Park-Watt <jimmypw AT gmail.com>

Changes:
_U  stable/11/
  stable/11/etc/rc.d/pf
  stable/11/sbin/pfctl/pfctl.8
  stable/11/sbin/pfctl/pfctl.c
  stable/11/sbin/pfctl/pfctl_parser.c
  stable/11/sbin/pfctl/pfctl_parser.h