pf application (solved)

Christopher Keeley Tue, 10 Aug 2004 03:11:11 -0700

Hello all. 

Many thanks for all of your help.


Ive now solved my problem and have a fairly good understanding of the pf
implementationn within OBSD 3.3 (just have to grok the changes in -current when i can
afford to buy it!).

For the benefit of anyone in the same situ as myself heres some code
that adds a rule after an existing rule at an anchor point.

Hope this is of some use to someone.

cioa for now

Chris 

<code>---------------------------------------------------------------

        struct pfioc_rule pr;
        struct pfioc_pooladdr paddr;
        int pf_dev_fd, ret = 1;
        char anchorname[PF_ANCHOR_NAME_SIZE] = "pwatch";
        char rulesetname[PF_RULESET_NAME_SIZE];

        memset(&pr, 0, sizeof(struct pfioc_rule));
        memset(&pr.rule, 0, sizeof(struct pf_rule));
        memset(&paddr, 0, sizeof(pfioc_pooladdr));

        /* arbitrary rulesetname for testing purposes */
        strlcpy(rulesetname, "0.1", PF_RULESET_NAME_SIZE);

        memcpy(pr.anchor, anchorname, sizeof(pr.anchor));
        memcpy(pr.ruleset, rulesetname, sizeof(pr.ruleset));

        pr.rule.action = PF_DROP;       
        pr.rule.quick = 1;
        pr.rule.log = 1;
        pr.rule.af = AF_INET;
        pr.rule.proto = IPPROTO_TCP;
        pr.rule.src.addr.type = PF_ADDR_ADDRMASK;
        memset(&pr.rule.src.addr.v.a.addr.v4, 255, 4);
        inet_pton(AF_INET, "192.168.0.19", &pr.rule.src.addr.v.a.addr.v4);
        memset(&pr.rule.dst.addr.v.a.addr.v4, 255, 4);
        inet_pton(AF_INET, "192.168.0.4", &pr.rule.dst.addr.v.a.addr.v4);
        pr.rule.dst.port_op = PF_OP_EQ;
        pr.rule.keep_state = 1;
        pr.rule.flags = TH_SYN;
        pr.rule.flagset = (TH_SYN | TH_ACK | TH_FIN | TH_RST);
        pr.rule.dst.port[0] = htons(1024);
        
        /* if we can open device then proceed with add rules */
        if((pf_dev_fd = open("/dev/pf", O_RDWR)) != -1)
        {
                if((ioctl(pf_dev_fd, DIOCBEGINADDRS, &paddr)) == -1)
                        perror("ioctl DIOCBEGINADDRS");

                /* get ticket for DIOCCHANGERULE */
                pr.action = PF_CHANGE_GET_TICKET;
                pr.pool_ticket = paddr.ticket;
        
                if((ioctl(pf_dev_fd, DIOCCHANGERULE, &pr)) == -1)
                        perror("ioctl CHANGERULE:PF_CHANGE_GET_TICKET");

                /* we have ticket so append after rule:0 */
                pr.action = PF_CHANGE_ADD_AFTER;
                pr.nr = 0;
        
                if((ioctl(pf_dev_fd, DIOCCHANGERULE, &pr)) == -1)
                        perror("ioctl CHANGERULE:PF_CHANGE_AFTER");
        }
        else
        {
                (void)fprintf(stderr, "failed to open /dev/pf\n");
                ret = 0;        
        }

close(pf_dev_fd);
return ret;
}

</code>-------------------------------------------------------------------

-- 
-----------------------------------------------
Chris Keeley 
public key: pgp.mit.edu (search string: crizza)

pgpzQgj8v38kp.pgp
Description: PGP signature

pf application (solved)

Reply via email to