MacOS – Launch daemon not processing program arguments

launchdmacosplistterminal

I have been trying to make a change (for port forwarding/redirecting) to the pfctl.conf file and have it ( the /etc/pfctl.conf file) loaded at startup. The pfctl.conf has been been confirmed to be working as expected because issuing sudo pfctl -ef /etc/pfctl.conf leads to the desired behavior (requests to one port get forwarded to the other).

That pfctl itself is actually loaded at startup is also confirmed because doing launchctl list | grep pf shows com.apple.pfctl in the output. However, the desired forwarding behavior is not achieved directly after startup. It happens only on doing pfctl -f /etc/pfctl.conf after startup. Oddly enough, the output of pfctl -ef /etc/pfctl.conf still says pf already enabled.

Therefore, I concluded that while pf is loaded at startup, the daemon seems to not load from the conf file. The body of the launch daemon com.apple.pfctl.plist now looks like:

<plist version="1.0">
<dict>
     <key>Disabled</key>
     <false/>
     <key>Label</key>
     <string>com.apple.pfctl</string>
     <key>WorkingDirectory</key>
     <string>/var/run</string>
     <key>Program</key>
     <string>/sbin/pfctl</string>
     <key>ProgramArguments</key>
     <array>
         <string>/sbin/pfctl</string>
         <string>-e</string>
         <string>-f</string>
         <string>/etc/pf.conf</string>
     </array>
     <key>RunAtLoad</key>
     <true/>
</dict>
</plist>

Having checked the discussion at
Getting launchd to read program arguments correctly it was informative but not practically helpful in this instance – I have already tried editing the program arguments of the plist file to include the full path to the pfctl executable (as can be seen in the code above – first line of the arguments array) but to no avail. I have also added an argument (second line of arguments array) to actually launch pfctl based on the discussion at this gist. The daemon also seems to be configured correctly according to the instructions at Apple developer docs. In accordance to the developer docs (which state that the program tag is required when the program arguments are not supplied and vice versa), I also tried removing the program tag while leaving the program arguments array in place (with the path to the executable as the first argument) – but this had no effect either.

Puzzlingly, the shipped version of the pfctl.plist file (which can be assumed to be most likely correct) had both the program tag and the program arguments tag, apparently in contradiction to the dev docs (or maybe I misunderstood the docs).

So now I am completely at a loss. Any help would be most appreciated!

Additional info:
Not sure this is relevant, but just in case it is: the anchor file (created by me) which is referenced by pf.conf looks like:

rdr pass on lo0 inet proto tcp from any to 127.0.0.1 port =80 -> 127.0.0.1 port 8888

So is there a possibility that the network interface is not yet active and addresses have not been assigned at the time the daemon runs? If so, how can it be fixed?

Best Answer

Try removing the Program argument:

<key>Program</key>
<string>/sbin/pfctl</string>

A deep explanation is found here: https://akikoskinen.info/launch-daemon-agent-program-programarguments/

Related Solutions

MacOS – Getting launchd to read program arguments correctly

The Program key specifies the file to execute, & the ProgramArguments key specifies the arguments which will be passed to the executing process. Strictly speaking you can pass whatever arguments you want to a process, but the convention is that the first one should be the name by which the process was invoked, so most programs ignore their first argument.^‡ The file to execute is obviously necessary information, but if the Program key is is missing, launchd pretends it has the same value as the first argument in ProgramArguments purely as a convenience.

Your first example starts boinccmd & gives it arguments that would be equivalent to the terminal command

--host\ localhost --passwd\ gobbledygook --project\ http://setiathome.berkeley.edu/\ update

which tells boinccmd that you invoked it as "--host localhost" & only passed it two weird arguments.

Your second example separates the arguments correctly, but as Eddie Kelley suggested it needs one inserted at the front. It tells boinccmd that you invoked it as "--host", then passed another six arguments. boinccmd can recognise the last five as being two options, but has no idea what the "localhost" business is about. As far as boinccmd can tell, it was invoked from the terminal as

/Library/Application\ Support/BOINC\ Data/boinccmd localhost --passwd gobbledygook --project http://setiathome.berkeley.edu/ update

(note the missing "--host").

boinccmd is probably one of the great majority of programs that don't care what their first argument is, so you could probably actually just shove <string>HELLO</string> at the head of the ProgramArguments array, but it's probably cleaner to remove the Program key altogether & just use this:

<key>ProgramArguments</key>
    <array>
        <string>/Library/Application Support/BOINC Data/boinccmd</string>
        <string>--host</string>
        <string>localhost</string>
        <string>--passwd</string>
        <string>gobbledygook</string>
        <string>--project</string>
        <string>http://setiathome.berkeley.edu/</string>
        <string>update</string>
    </array>

^‡ It can seem like a meaningless redundancy, but some programs use this to good effect: bash et al. act as login shells if their first argument begins with -, & Vim enters various emulation modes if its first argument is ed or vi instead of vim.

MacOS – How to reset OS X volume after sleep using launchd

The second launchd job ticket format is almost correct. Only a set of quotes need removing.

Quotes

The quotes are no longer needed in the second launchd job ticket, so change:

<string>"set volume output volume 0"</string>

…to…

<string>set volume output volume 0</string>

Grouping Arguments

In this case, the quotes grouped the set of arguments for osascript to see as one item. Thus osascript gets two arguments, the flag -e and the script. This meets the requirements from the osascript manual.

When called through Terminal.app and thus through the shell, the quotes are needed to perform the grouping. When osascript gets the arguments, the shell has removed the quotes.

Without quotes, spaces subdivide each item passed via the shell.

When called through a launchd job ticket, the grouping is intrinsic within the array passed as ProgramArguments. In your first ticket, the array contained nine items and in the second ticket, the array contained three.

LaunchAgent

Be sure to add this launchd job as a ~/Library/LaunchAgents as osascript requires an active user with a graphical session.

This approach approximates what I do with Power Manager in How to Set the Volume When Logging In.