pfctl -i Interface -s states does not produce any output in 22.05

pfpv

I am using scripts to kill states on failback from the following link: https://forum.netgate.com/topic/135614/failback-from-primary-wan-after-failover-to-secondary-wan

After not using them for a while I tired to use them on 22.05 and found that the main script doesn't work. I found why.

pfctl -i mvneta0 -ss | grep 'tcp'

does not produce any output. I tried

pfctl -i Interface -s states

for a couple of interfaces and the output is just blank. This is a standard command in FreeBSD. I did not find any description of changes. Is there any other way to get the same output as it was possible to get from

pfctl -i Interface -ss

before?

luckman212

@pfpv Hmm. It doesn't produce any output on my 6100 either, when invoked with the -i flag. Not sure what's going on there.

You could try https://github.com/luckman212/stv for now and use it like

stv '%tcp.*%mvneta0%'

Your script would need to be adjusted because the output format is different (stv output should actually be easier to parse).

stephenw10

It's because the interface is no longer tagged on states like that:

[22.05-RELEASE][admin@apu.stevew.lan]/root: pfctl -vvss
all icmp 172.21.16.10:53294 -> 172.21.16.1:53294       0:0
   age 72:55:22, expires in 00:00:09, 497546:497030 pkts, 14428834:14413870 bytes, rule 76
   id: 618fb96200000001 creatorid: 3ecec8db gateway: 0.0.0.0
   origif: re1
all tcp 172.21.16.10:22 <- 172.21.16.5:38708       ESTABLISHED:ESTABLISHED
   [1885142956 + 2147025153] wscale 7  [2696422768 + 65792] wscale 7
   age 00:55:32, expires in 24:00:00, 273:383 pkts, 24721:34285 bytes, rule 83
   id: f0a5b96200000001 creatorid: 3ecec8db gateway: 172.21.16.1
   origif: re1

All states are shown as 'all' where previously the interface was shown. Instead the interface where the state was created is shown by origif:.

Steve

pfpv

@stephenw10
Was this function rewritten specifically for pfSense? The man page for FreeBSD still shows the option -i. Even in pfSense for

pfctl -h

I get this

usage: pfctl [-AdeghMmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]
	[-f file] [-i interface] [-K host | network]
	[-k host | network | gateway | label | id] [-o level] [-p device]
	[-s modifier] [-t table -T command [address ...]] [-x level]

The -i interface option is still there. Won't it break the code in other packages etc. like it broke the code in the script I mentioned?

What would be the most efficient way to probe states for a particular interface now? I need to run that script every 2 minutes or even more often. It probes the backup interface that is not expected to have any states. Now it seems I have to get a list of all states from all interfaces and find a few out of hundreds and thousands. The stv script mentioned above does that.

stephenw10

They are seen as floating states:
https://github.com/pfsense/FreeBSD-src/commit/7c15871eff2341da68fa5c88fe64d1f386f13c89

Check the code in diag_dump_states which does filtering by interface.

Steve

Proton

@pfpv Hi! Did you get this solved?
I also try the same :?