Solved How do I interface with pf in a C/C++ application

[nactusberrilli]

I'd like to write a simple GUI C/C++ application (a simple interface) where the user can perform a few pf operations and also receive pf feedback (instead of using the pfctl command). I was hoping to get some guidance in regards to where to get started. The pf(8) suggests the use of the ioctl(2) interface . I can see a bunch of constants that start with "DIOC". A quick example or a tutorial on how to get started developing with pf would be more than appreciated. Thanks.

 

[kpa]

I would start by reading the pfctl(8) source code. It does everything it is capable of through the /dev/pf device.

https://svnweb.freebsd.org/base/releng/10.2/sbin/pfctl/

 

[nactusberrilli]

Thanks kpa. I did start by looking at the pfctl(8). In here, however, there are only CLI based commands. I needed a C/C++ API, so I went to the link you suggested, and looked at the pfctl.h. This file exposes just a very few (not commented) methods. I went back to the pf(8) and there I've noticed the paragraph where it says:

... IOCTL INTERFACE pf supports the following ioctl(2) commands available through <net/pfvar.h>: DIOCSTART Start the packet filter. DIOCSTOP Stop the packet filter ...

So, importing this header <net/pfvar.h> should give me access to all these structs, but how do I call them? Is there an example of a basic C/C++ way of integrating them into a custom application?

 

[kpa]

Look at the main() function in pfctl.c and pick one of the options, let's say -sr that shows all of the rules, and follow the path of execution to see which functions get called when that option is used and what kind of parameters are needed. In this case the path of execution leads to function pfctl_show_rules(), continue from there.

You won't find any simple programming tutorials for PF because it is assumed by the developers that anyone wanting to work on it are able self-learn the basics by reading the code itself.

 

[nactusberrilli]

Thank you kpa. I will try your back-tracing technique. While I do understand that this would not be an introductory course to C, I was sincerely hoping for a bit more documentation about some of those functions, and ideally a few simple examples.

I was, however, able to find this tutorial: http://landonf.org/code/bsd/Gatheri...s_With_PF.20050210114538.6336.luxo.local.html
that shows the implementation of a few constants of ioctl(2) interface as described in the pf(8).

Between your suggestion and this blog I think I have plenty to "chew" on for a while.

 

[fnoyanisi]

You may want to ask the same question in one of the OpenBSD mailing lists or forums as pf(4) is ported from OpenBSD.

 

[junovitch@]

An idea what would to look at the net/relayd source code as it can interface with PF. There might be some ideas there to get you started.

 

[nactusberrilli]

fnoyanisi, thanks, I will probably consider the mailing list once I have a few more specific questions
junovitch@ thanks for the suggestion