pf application

Christopher Keeley Fri, 06 Aug 2004 01:55:40 -0700

Hello everybody.

I am currently writing a program in C that at certain points needs to add a rule to
the current firewall set.


Here is a copy of the code i have so far for the function that will add
the rule: 

<code>------------------------------------------------------------------

        struct pfioc_rule pr;
        struct pf_rule pfrule;
        struct pfioc_pooladdr pool;

        int pf_dev_fd, ret;

        /*
         * char anchorname[PF_ANCHOR_NAME_SIZE] = "pwatch";
         * char rulesetname[PF_RULESET_NAME_SIZE] = "pwatch_rules";
         */
        
        /**** (pfvar.h) struct reference path for 3rd inet_pton argument ***** 
         * struct pfioc_rule: pr
         * struct pf_rule: rule 
         * struct pf_rule_addr: src 
         * struct pf_addr_wrap: addr
         * 'v' is a union in 'pf_addr_wrap' 
         * 'a' is a 'struct pf_addr' and a member of 'v'
         * addr is a 'struct pf_addr' and a member of 'a'
         * v4 is #defined as pfa.v4 ('pfa' is a union in struct pf_addr)
         */

        inet_pton(AF_INET, "192.168.0.1", &pfrule.src.addr.v.a.addr.v4.s_addr);
        inet_pton(AF_INET, "192.168.0.4", &pfrule.dst.addr.v.a.addr.v4.s_addr);

        /* 
         * strlcpy(pr.anchor, anchorname, sizeof(anchorname));
         * strlcpy(pr.ruleset, rulesetname, sizeof(rulesetname));
         */

        pr.rule.action = PF_DROP;       
        
        /* if we can open device then proceed with add rules */
        if((pf_dev_fd = open("/dev/pf", O_RDWR)) != -1)
        {
                if((ioctl(pf_dev_fd, DIOCBEGINRULES, &pr)) == -1)
                        perror("ioctl DIOCBEGINRULES");
                
                if((ioctl(pf_dev_fd, DIOCBEGINADDRS, &pool)) == -1)
                        perror("ioctl DIOCBEGINADDRS");

                pr.pool_ticket = pool.ticket;

                memcpy(&pr.rule, &pfrule, sizeof(pfrule));

                if((ioctl(pf_dev_fd, DIOCADDRULE, &pr)) == -1)
                        perror("ioctl DIOCADDRULE");

                if((ioctl(pf_dev_fd, DIOCCOMMITRULES, &pr)) == -1)
                        perror("ioctl DIOCCOMMITRULES");
        }
        else
        {
                (void)fprintf(stderr, "failed to open /dev/pf\n");
                ret = 0;
        }

close(pf_dev_fd);
return ret;

</code>--------------------------------------------------------------



The problem I am having is the ioctl
command DIOCADDRULE returns 'invalid argument'.

All of the other ioctl commands seem to be working fine including the
obtaining of tickets.

The minimal knowledge i have gathered so far concerning pf has been gained
through reading source files for 'pf' and 'authpf' but i seem to be missing
something rather important.

I would be most grateful if somebody could make a suggestion or point me
in the right direction as it would save what little hair i have left 8).

Regards 

Chris

-- 
-----------------------------------------------
Chris Keeley 

public key: pgp.mit.edu (search string: crizza)

pgp3Q1eZkKxxu.pgp
Description: PGP signature

pf application

Reply via email to