0

I'd like to build a daemon based process that configure the network kernel module firewall capabilities.

Currently, I can control this kernel firewall using pfctl and various configuration files that describe the filtering rules. However, I wish to inject the rules to packet first directly using C++/Objective-C API.

For example, To block IP address from any network interface in my setup, requires adding block from any to <ip_addr> to /etc/pf.conf file and reload the firewall by sudo pfctl -d and then sudo pfctl -e -f /etc/pf.conf

Is there any option to use ioctl or other system-call to communicate directly with the kernel firewall ?

EDIT: The source code of pfctl is here, but I still trying to decipher how to generate proper ioctl command in order to set new rule..

Zohar81
  • 4,554
  • 5
  • 29
  • 82

1 Answers1

0

The source code you added in the link is that of the pf subsystem itself (in kernel), not the pfctl(8) utility. If you look right next to pf.c in XNU sources, though, you will see the full list of PF IOCTLs in pf_var.h (http://newosxbook.com/src.jl?tree=xnu&ver=4570.41.2&file=bsd/net/pfvar.h), starting with DIOCSTART. This should give you all the information you need to add rules, delete, modify, etc. Just open /dev/pf and you can use the ioctl(2)s directly. Another idea is to run pfctl under lldb (with a breakpoint on ioctl), to see what the rule (third ioctl parameter) looks like in memory.

Technologeeks
  • 7,674
  • 25
  • 36