I'm writing a function that remove rules on the fly on pf , but I'm getting some errors. Maybe can someone please help me figure out whats going on.
My current anchor "test" have the rules:
# pfctl -a test -sr
pass out quick on ne4 inet proto tcp from 192.168.1.10 port = 10000 to any
pass out quick on ne4 inet from 192.168.1.11 to 192.168.1.11
pass out quick on ne4 inet proto tcp from 192.168.1.10 port = 17688 to 192.168.1.2 port = 5800 keep state label "ptguard" queue mail
pass out quick on ne4 inet proto tcp from 192.168.1.2 port = 5800 to 192.168.1.10 port = 17688 keep state label "ptguard" queue mail
I want to remove the rules on this anchor that have the label "ptguard". I wrote a function to remove the rules:
int rem_pf_rule (void)
{
struct pfioc_rule rem_rule;
memset (&rem_rule, 0, sizeof(rem_rule));
if (ioctl(dev, DIOCGETRULES, &rem_rule)) {
if (errno == EINVAL)
rem_rule.nr = 0;
} else {
syslog(LOG_ERR, "DIOCGETRULES: %m");
return (-1);
} while (rem_rule.nr > 0) {
rem_rule.nr--; if (ioctl(dev, DIOCGETRULE, &rem_rule)) {
syslog(LOG_ERR, "DIOCGETRULE: %m");
return (-1);
}
if (strncmp(rem_rule.rule.label, "ptguard", PF_RULE_LABEL_SIZE) == 0) {
if (rem_rule.rule.states <= 0) { /* get a ticket so we can call DIOCCHANGERULE below */
rem_rule.action = PF_CHANGE_GET_TICKET;
if (ioctl(dev, DIOCCHANGERULE, &rem_rule))
syslog(LOG_ERR, "DIOCCHANGERULE: %m"); rem_rule.action = PF_CHANGE_REMOVE;
if (ioctl(dev, DIOCCHANGERULE, &rem_rule))
syslog(LOG_ERR, "DIOCCHANGERULE: %m"); if (ioctl(dev, DIOCGETRULES, &rem_rule)) {
if (errno == EINVAL)
rem_rule.nr = 0;
else {
syslog(LOG_ERR, "DIOCGETRULES: %m");
return (-1);
}
}} /* rule.state <= 0 */ } /* rule.label == ptguard */ } /* while */ return (0); }
But I'm getting an error and I can't figure out what is the problem:
Sep 30 15:59:28 fw ptguard[9116]: DIOCGETRULES: Undefined error: 0
Please someone help me out with this problem, Thanks in advance, Gustavo Rossi.
