Wednesday, November 25, 2009

Firewall Functions












Firewall Functions

As yet, no other portable library has seen libdnet's capability to interface with an operating system's native firewall functionality. Many modern robust operating systems contain support for some sort of firewall capabilities. While similar in theory, all seem to differ wildly in implementation. Libdnet bridges the gap and enables the application programmer to access this functionality in a portable and consistent fashion. At this writing, the following operating systems are supported: OpenBSD, FreeBSD, NetBSD, Linux, and MacOS with Solaris functionality in the works.


You should employ the fw_pack_rule() macro to populate struct fw_rule (described in the datatypes section).




  fw_t *fw_open(void);


fw_open() opens and initializes a firewall handle for use in subsequent firewall functions. Upon success, the function returns a valid fw_t descriptor; upon failure, the function returns NULL.






Note 

In most cases, a firewall handle contains a file descriptor with which the internal libdnet code sets socket options or performs ioctl() s.





  int fw_add(fw_t *f, struct fw_rule *rule);


fw_add() adds the firewall rule rule to the firewall subsystem that f references. Upon success, the function returns 0; upon failure, the function returns 1.




  int fw_delete(fw_t *f, struct fw_rule *rule);


fw_delete() deletes the firewall rule rule from the firewall subsystem that f references. Upon success, the function returns 0; upon failure, the function returns 1.




  int fw_loop(fw_t *f, fw_handler callback, void *arg);
  int callback(const struct fw_rule *rule, void *arg);


returns 1 and sets errno. The fw_loop() callback function format expects two arguments: a pointer to the firewall rule and the optional argument arg.




  fw_t *fw_close(fw_t *f);


fw_close() closes the firewall interface that f references. The function returns NULL.





  fw_pack_rule(rule, dev, o, dir, p, s, d, sp1, sp2, dp1, dp2);



fw_pack_rule() is a macro that fills in a firewall rule structure rule elements with the arguments specified corresponding to each member, as Table 6.4 summarizes.

























































































Table 6.4: fw_pack_rule() Arguments

ARGUMENT



MEANING






rule



the libdnet firewall rule structure to be populated






dev



the canonical name of the device, up to 14 bytes including NULL terminator






o



firewall operation type






dir



direction the rule should be applied






p



protocol






s



source address






d



destination address






sp1



either the low source port number or the ICMP type






sp2



either the high source port number or the ICMP mask






dp1



either the low destination port number or the ICMP code






dp2



either the high destination port number or the ICMP mask





















Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)