Add function for getting interface flags

Closes #128

Author: pronebird

CHANGELOG.md

@@ -13,6 +13,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 * **Security**: in case of vulnerabilities.
 
 ## [unreleased]
+### Added
+- Add function for getting interface flags.
 
 
 ## [0.7.0] - 2025-09-12
@@ -126,4 +128,3 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 ## [0.1.0] - 2017-12-20
 ### Added
 - Initial functionality able to control most parts of the PF firewall on macOS
-

Cargo.lock

@@ -16,6 +16,7 @@ travis-ci = { repository = "mullvad/pfctl-rs" }
 
 
 [dependencies]
+bitflags = "2.9.4"
 ioctl-sys = "0.8.0"
 libc = "0.2.29"
 derive_builder = "0.20"

Cargo.toml

@@ -20,6 +20,7 @@ bindgen \
     --allowlist-type pfioc_states \
     --allowlist-type pfioc_state_kill \
     --allowlist-type pfioc_iface \
+    --allowlist-type pfi_kif \
     --allowlist-var PF_.* \
     --allowlist-var PFRULE_.* \
     --default-enum-style rust \

generate_bindings.sh

@@ -63,6 +63,8 @@ ioctl!(readwrite pf_add_addr with b'D', 52; pfvar::pfioc_pooladdr);
 ioctl!(readwrite pf_begin_trans with b'D', 81; pfvar::pfioc_trans);
 // DIOCXCOMMIT
 ioctl!(readwrite pf_commit_trans with b'D', 82; pfvar::pfioc_trans);
+// DIOCIGETIFACES
+ioctl!(readwrite pf_get_ifaces with b'D', 87; pfvar::pfioc_iface);
 // DIOCSETIFFLAG
 ioctl!(readwrite pf_set_iface_flag with b'D', 89; pfvar::pfioc_iface);
 // DIOCCLRIFFLAG

src/ffi/mod.rs

@@ -1,4 +1,4 @@
-/* automatically generated by rust-bindgen 0.70.1 */
+/* automatically generated by rust-bindgen 0.72.1 */
 
 pub const PF_UNSPEC: u32 = 0;
 pub const PF_LOCAL: u32 = 1;
@@ -1266,6 +1266,34 @@ const _: () = {
 };
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
+pub struct pfi_kif {
+    pub pfik_name: [::std::os::raw::c_char; 16usize],
+    pub pfik_packets: [[[u_int64_t; 2usize]; 2usize]; 2usize],
+    pub pfik_bytes: [[[u_int64_t; 2usize]; 2usize]; 2usize],
+    pub pfik_tzero: u_int64_t,
+    pub pfik_flags: ::std::os::raw::c_int,
+    pub pfik_states: ::std::os::raw::c_int,
+    pub pfik_rules: ::std::os::raw::c_int,
+}
+#[allow(clippy::unnecessary_operation, clippy::identity_op)]
+const _: () = {
+    ["Size of pfi_kif"][::std::mem::size_of::<pfi_kif>() - 168usize];
+    ["Alignment of pfi_kif"][::std::mem::align_of::<pfi_kif>() - 8usize];
+    ["Offset of field: pfi_kif::pfik_name"][::std::mem::offset_of!(pfi_kif, pfik_name) - 0usize];
+    ["Offset of field: pfi_kif::pfik_packets"]
+        [::std::mem::offset_of!(pfi_kif, pfik_packets) - 16usize];
+    ["Offset of field: pfi_kif::pfik_bytes"][::std::mem::offset_of!(pfi_kif, pfik_bytes) - 80usize];
+    ["Offset of field: pfi_kif::pfik_tzero"]
+        [::std::mem::offset_of!(pfi_kif, pfik_tzero) - 144usize];
+    ["Offset of field: pfi_kif::pfik_flags"]
+        [::std::mem::offset_of!(pfi_kif, pfik_flags) - 152usize];
+    ["Offset of field: pfi_kif::pfik_states"]
+        [::std::mem::offset_of!(pfi_kif, pfik_states) - 156usize];
+    ["Offset of field: pfi_kif::pfik_rules"]
+        [::std::mem::offset_of!(pfi_kif, pfik_rules) - 160usize];
+};
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
 pub struct pf_status {
     pub counters: [u_int64_t; 17usize],
     pub lcounters: [u_int64_t; 7usize],

src/ffi/pfvar.rs

@@ -508,7 +508,7 @@ impl PfCtl {
     ) -> Result<()> {
         let mut iface = unsafe { mem::zeroed::<ffi::pfvar::pfioc_iface>() };
         interface.try_copy_to(&mut iface.pfiio_name)?;
-        iface.pfiio_flags = flags as i32;
+        iface.pfiio_flags = flags.bits();
         ioctl_guard!(ffi::pf_set_iface_flag(self.fd(), &mut iface))?;
         Ok(())
     }
@@ -523,11 +523,51 @@ impl PfCtl {
     ) -> Result<()> {
         let mut iface = unsafe { mem::zeroed::<ffi::pfvar::pfioc_iface>() };
         interface.try_copy_to(&mut iface.pfiio_name)?;
-        iface.pfiio_flags = flags as i32;
+        iface.pfiio_flags = flags.bits();
         ioctl_guard!(ffi::pf_clear_iface_flag(self.fd(), &mut iface))?;
         Ok(())
     }
 
+    /// Get interfaces with corresponding flags.
+    ///
+    /// https://man.freebsd.org/cgi/man.cgi?pf(4)
+    pub fn get_interface_flags(
+        &mut self,
+        interface: Interface,
+    ) -> Result<Vec<InterfaceDescription>> {
+        // This should be sufficient capacity on average machine to avoid reallocation
+        const INITIAL_CAPACITY: usize = 30;
+
+        let mut buf: Vec<ffi::pfvar::pfi_kif> = Vec::with_capacity(INITIAL_CAPACITY);
+        let mut iface = unsafe { mem::zeroed::<ffi::pfvar::pfioc_iface>() };
+        interface.try_copy_to(&mut iface.pfiio_name)?;
+        iface.pfiio_esize = mem::size_of::<ffi::pfvar::pfi_kif>() as i32;
+
+        let mut num_system_interfaces = 0;
+        for _ in 0..2 {
+            iface.pfiio_buffer = buf.as_mut_ptr() as _;
+            iface.pfiio_size = buf.capacity() as _;
+
+            ioctl_guard!(ffi::pf_get_ifaces(self.fd(), &mut iface))?;
+            num_system_interfaces = usize::try_from(iface.pfiio_size).unwrap_or_default();
+
+            // Reserve additional space and retry if number of system interfaces exceeds capacity
+            if num_system_interfaces > buf.capacity() {
+                buf.reserve(num_system_interfaces);
+            } else {
+                break;
+            }
+        }
+
+        let new_len = std::cmp::min(num_system_interfaces, buf.capacity());
+        // SAFETY: safe since new_len is capped at capacity
+        unsafe { buf.set_len(new_len) };
+
+        buf.into_iter()
+            .map(InterfaceDescription::try_from)
+            .collect()
+    }
+
     /// Get all states created by stateful rules
     fn get_states_inner(&mut self) -> Result<Vec<ffi::pfvar::pfsync_state>> {
         let num_states = self.get_num_states()?;

src/lib.rs

@@ -6,8 +6,7 @@
 // option. This file may not be copied, modified, or distributed
 // except according to those terms.
 
-use crate::conversion::TryCopyTo;
-use crate::{Error, ErrorInternal};
+use crate::{Error, ErrorInternal, conversion::TryCopyTo};
 
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub struct InterfaceName(String);
@@ -44,10 +43,38 @@ impl TryCopyTo<[i8]> for Interface {
     }
 }
 
+bitflags::bitflags! {
+    #[repr(transparent)]
+    #[derive(Debug, Clone, PartialEq, Eq, Hash)]
+    pub struct InterfaceFlags: i32 {
+        /// Set or clear the skip flag on an interface.
+        /// This is equivalent to PFI_IFLAG_SKIP.
+        const SKIP = 0x0100;
+    }
+}
+
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
-#[repr(i32)]
-pub enum InterfaceFlags {
-    /// Set or clear the skip flag on an interface.
-    /// This is equivalent to PFI_IFLAG_SKIP.
-    Skip = 0x0100,
+pub struct InterfaceDescription {
+    pub name: String,
+    pub flags: InterfaceFlags,
+}
+
+impl TryFrom<crate::ffi::pfvar::pfi_kif> for InterfaceDescription {
+    type Error = crate::Error;
+
+    fn try_from(kif: crate::ffi::pfvar::pfi_kif) -> Result<Self, Self::Error> {
+        let c_chars_ptr = kif.pfik_name.as_ptr() as *const u8;
+        // SAFETY: valid as long as `kif` is within the scope
+        let c_chars_u8 = unsafe { std::slice::from_raw_parts(c_chars_ptr, kif.pfik_name.len()) };
+
+        let name = std::ffi::CStr::from_bytes_until_nul(c_chars_u8)
+            .map_err(|_| Error::from(ErrorInternal::InvalidInterfaceName("missing null byte")))?
+            .to_str()
+            .map_err(|_| Error::from(ErrorInternal::InvalidInterfaceName("invalid utf8 encoding")))?
+            .to_owned();
+
+        let flags = InterfaceFlags::from_bits_retain(kif.pfik_flags);
+
+        Ok(InterfaceDescription { name, flags })
+    }
 }

src/rule/interface.rs

@@ -23,19 +23,54 @@ test!(set_and_reset_interface_flag {
         slice::from_ref(&temp_tun_name),
     );
 
-    pf.set_interface_flag(interface.clone(), InterfaceFlags::Skip).unwrap();
+    pf.set_interface_flag(interface.clone(), InterfaceFlags::SKIP).unwrap();
 
     assert_eq!(
         get_interface_flags(&temp_tun_name),
         &[format!("{temp_tun_name} (skip)")],
         "expected skip flag to be set",
     );
 
-    pf.clear_interface_flag(interface, InterfaceFlags::Skip).unwrap();
+    pf.clear_interface_flag(interface.clone(), InterfaceFlags::SKIP).unwrap();
 
     assert_eq!(
         get_interface_flags(&temp_tun_name),
         &[temp_tun_name],
         "expected skip flag to be cleared",
     );
 });
+
+test!(get_all_interfaces {
+    let temp_tun = tun::Device::new(&Configuration::default()).unwrap();
+    let temp_tun_name = temp_tun.tun_name().unwrap();
+
+    let mut pf = pfctl::PfCtl::new().unwrap();
+    pf.set_interface_flag(pfctl::Interface::from(&temp_tun_name), InterfaceFlags::SKIP).unwrap();
+
+    let iface = pf.get_interface_flags(pfctl::Interface::Any)
+        .unwrap()
+        .into_iter()
+        .find(|iface| iface.name == temp_tun_name)
+        .unwrap();
+    assert!(iface.flags.contains(InterfaceFlags::SKIP), "expected skip flag to be set");
+});
+
+test!(get_single_interface {
+    let temp_tun = tun::Device::new(&Configuration::default()).unwrap();
+    let temp_tun_name = temp_tun.tun_name().unwrap();
+
+    let mut pf = pfctl::PfCtl::new().unwrap();
+    pf.set_interface_flag(pfctl::Interface::from(&temp_tun_name), InterfaceFlags::SKIP).unwrap();
+
+    let ifaces = pf.get_interface_flags(pfctl::Interface::from(&temp_tun_name))
+        .unwrap();
+
+    assert_eq!(ifaces.len(), 1);
+
+    let iface = ifaces
+        .into_iter()
+        .next()
+        .unwrap();
+    assert!(iface.name == temp_tun_name, "expected tun interface to be returned");
+    assert!(iface.flags.contains(InterfaceFlags::SKIP), "expected skip flag to be set");
+});