PF header net/pfvar.h on OSX missing

Question

PF (packet filter) is a kernel-level firewall, included in BSD-like kernels (Darwin kernel is basically BSD), and BSD man pages provide detailed documentation about these headers, letting control PF programmatically. PF is included in OSX kernel, even though it's disabled by default.

I know it's possible to control PF in OSX someway, because applications like Murus exist, providing user-friendly GUI for this low-level "king of firewalls", and this API is not not manual /etc/pf.conf parsing, as I suspected first.

Any way to add these headers and control PF from my OSX applications?

MacOS Sierra 10.12.6

Xcode 9.2 (9C40b)

UPDATE Some information I found, a bit out-of-date though

[This](https://www.youtube.com/watch?v=SOWQCAA8lZA) seems to explain it, not sure though. — Mihir Luthra, Aug 04 '19 at 07:12

Prado · Accepted Answer · 2019-08-09T23:04:25.753

0

the <net/pfvar.h> you are looking for is at the link below (for MacOS Mojave and Catalina) - Older versions are also available.

https://opensource.apple.com/source/xnu/xnu-4903.221.2/bsd/net/pfvar.h.auto.html

Here is <net/pfvar.h> for the MacOS Sierra:

https://opensource.apple.com/source/xnu/xnu-3789.70.16/bsd/net/pfvar.h.auto.html

If you need a full working application example, I ported pfctl from BSD to MacOS and compiled it using all the MacOS kernel headers and system libraries. I can upload the full working source-code tree on GitHub for you. Currently I am using it on Catalina, and I can control anything on the PF subsystem. You can then learn from it and use the routines on your app. The code, functions and parameters are simple to understand and can easily meet your needs.

edited Aug 09 '19 at 23:04

answered Aug 09 '19 at 22:54

Prado

522
2
4

is it possible to control pf with ioctl inside a macos kernel extension? – horseyguy Aug 25 '19 at 14:01
1

Considering it is possible to control it from any normal application using ioctl, I see no problem of controlling it from a macos kernel extension. So the answer is yes. – Prado Aug 28 '19 at 17:31
you are correct, but `ioctl` does not exist in kernel mode it's a weird thing called `vnop_ioctl` and is slightly scarier to use! – horseyguy Aug 28 '19 at 20:06
Are you sure about it? `vnop_ioctl` seems like a filesystem ioctl defined in `sys/vnode_if.h` used mainly by SMB but also for `devfs`, `fifofs`.. It could be, I am not sure, also I am *not* telling you are wrong. This is something for my researches. thank you – Prado Aug 28 '19 at 20:17
@Prado Yes, I just back to that project, would be thankful for the working example – Sep 03 '19 at 23:42

PF header net/pfvar.h on OSX missing

1 Answers1