As yet, no other portable library has seen libdnet's capability to interface with an operating system's native firewall functionality. Many modern robust operating systems contain support for some sort of firewall capabilities. While similar in theory, all seem to differ wildly in implementation. Libdnet bridges the gap and enables the application programmer to access this functionality in a portable and consistent fashion. At this writing, the following operating systems are supported: OpenBSD, FreeBSD, NetBSD, Linux, and MacOS with Solaris functionality in the works.
You should employ the fw_pack_rule() macro to populate struct fw_rule (described in the datatypes section).
fw_t *fw_open(void);
fw_open() opens and initializes a firewall handle for use in subsequent firewall functions. Upon success, the function returns a valid fw_t descriptor; upon failure, the function returns NULL.
| Note |
In most cases, a firewall handle contains a file descriptor with which the internal libdnet code sets socket options or performs ioctl() s. |
int fw_add(fw_t *f, struct fw_rule *rule);
fw_add() adds the firewall rule rule to the firewall subsystem that f references. Upon success, the function returns 0; upon failure, the function returns −1.
int fw_delete(fw_t *f, struct fw_rule *rule);
fw_delete() deletes the firewall rule rule from the firewall subsystem that f references. Upon success, the function returns 0; upon failure, the function returns −1.
int fw_loop(fw_t *f, fw_handler callback, void *arg); int callback(const struct fw_rule *rule, void *arg);
returns −1 and sets errno. The fw_loop() callback function format expects two arguments: a pointer to the firewall rule and the optional argument arg.
fw_t *fw_close(fw_t *f);
fw_close() closes the firewall interface that f references. The function returns NULL.
fw_pack_rule(rule, dev, o, dir, p, s, d, sp1, sp2, dp1, dp2);
fw_pack_rule() is a macro that fills in a firewall rule structure rule elements with the arguments specified corresponding to each member, as Table 6.4 summarizes.
|
ARGUMENT |
MEANING |
|---|---|
|
|
|
|
rule |
the libdnet firewall rule structure to be populated |
|
|
|
|
dev |
the canonical name of the device, up to 14 bytes including NULL terminator |
|
|
|
|
o |
firewall operation type |
|
|
|
|
dir |
direction the rule should be applied |
|
|
|
|
p |
protocol |
|
|
|
|
s |
source address |
|
|
|
|
d |
destination address |
|
|
|
|
sp1 |
either the low source port number or the ICMP type |
|
|
|
|
sp2 |
either the high source port number or the ICMP mask |
|
|
|
|
dp1 |
either the low destination port number or the ICMP code |
|
|
|
|
dp2 |
either the high destination port number or the ICMP mask |