PF API for use from application

Greetings, colleagues!

Can you please tell me if there is some kind of API for managing the PF?

For example, I want to develop an application that should modify the contents of some PF tables.
Of course, you can constantly call 'pfctl -t XXXX -T YYYY', but this is not very elegant!

Is there some kind of API available to the application developer, or another civilized way to allow this?

Ogogon.
 
There isn't really. There's either executing pfctl, or interacting directly with the ioctl() calls. There's no middle ground.

If you're interested in using the ioctl() interface directly you can look at /usr/src/sbin/pfctl/, or at /usr/src/tests/sys/netpfil/pf/ioctl. The latter sends invalid requests, to ensure that the input validation in the kernel is sound. It's simpler, but incomplete.

If anyone is interested in a project, I would be very interested in seeing a libpf to make this sort of thing easier. Simply pulling out the add element to table / remove element from table code should be pretty straightforward, and will probably cover a lot of use cases already.
 
Back
Top