Program to add/delete a rule from pf

[Travis H.]

On 7/18/06, Max Laier <max at love2party.net> wrote:
> > After going through sources of pfctl and some other programs, I wrote
> > a skeltel program
> > to add a rule via ioctl, but that is not working.

That sounds like the hard ware to do it.

> Just a short hint rather than debugging your code:  Did you look into using
> anchors like spamd and authpf do?  That way it will be a simple matter of
> flushing an anchor ruleset and the users of your plugin can have some say
> where your rules end up by placing the anchor(s) accordingly.

That's probably the easiest way.

Another way is to use my dfd_keeper program, located at my homepage
below.  It allows you to make arbitrary modification to the pf rules.
It doesn't use ioctls; it remembers all the rules, make modification
to them at run-time, and re-loads the ruleset completely.  No anchors
are really necessary, but you might want to use a few so you can
"patch" the rulest temporarily without modifying your dfd_keeper
script (I provide the library, you provide the client script).  There
is an example.  It's meant for making run-time rule changes, and even
takes care of things like flushing states if you remove a pass rule,
etc.  I would appreciate feedback on it.

It may seem a bit like overkill at first, but it's really not that
hard to understand.  I have an example script, and the whole thing is
not very much code... maybe 2k lines.  There are OpenBSD packages for
it and other prerequisites on my homepage as well.

The net result is that you get a textual interface to the firewall,
and you can define an arbitrary set of commands that are available to
the text interface.  It's kind of like having a Unix shell, but for
your firewall.
-- 
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484