• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Programmatic Interface to pf (firewall)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Programmatic Interface to pf (firewall)

  • Subject: Re: Programmatic Interface to pf (firewall)
  • From: Scott Davies <email@hidden>
  • Date: Fri, 18 Oct 2013 14:26:11 -0400
Hi Comex and Vincent,

Thank you for your quick replies!

I believe I will explore the ioctls for personal interest, but will not rely on then for the product as you note they are fragile between releases.

I suppose the best solution, then, is to wrap pfctl and pass rules via anchors.  A problem I can think with this is that the anchors will have to be appended to the existing pf.conf file, but because the last rule that applies takes effect in pf, it is possible that my rules being blindly added will compromise someone's existing configuration.

Can anyone think of a work around to that ?

Thanks again,

- Scott

On 2013-10-17, at 7:41 PM, Vincent Lubet <email@hidden> wrote:

>
> On Oct 17, 2013, at 1:50 PM, comex <email@hidden> wrote:
>
>> On Thu, Oct 17, 2013 at 2:02 AM, Scott Davies <email@hidden> wrote:
>>> I have begun research on this and have just started to read about Network Kernel Extensions, however, I am curious if there is a way to do this from user space or if it is only a kernel space option.  In particular, an Objective-C interface for this to use from user space would be beneficial.
>>
>> The /dev/pf ioctl interface is the same as the one documented in BSD:
>>
>> http://www.freebsd.org/cgi/man.cgi?query=pf&sektion=4
>
> A word of caution: the PF ioctls are not a public API for OS X and they exist in xnu only to support the needs of pfctl(8). That means the PF ioctls are not supported and may be modified or even removed from any release without advance notice.
>
> Vincent
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Darwin-kernel mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Programmatic Interface to pf (firewall) (From: Scott Davies <email@hidden>)
 >Re: Programmatic Interface to pf (firewall) (From: comex <email@hidden>)
 >Re: Programmatic Interface to pf (firewall) (From: Vincent Lubet <email@hidden>)

  • Prev by Date: Re: Programmatic Interface to pf (firewall)
  • Next by Date: Re: To Monitor file activities
  • Previous by thread: Re: Programmatic Interface to pf (firewall)
  • Index(es):
    • Date
    • Thread