'ipfw' IOCTLS available as python module?

François Pinard pinard at iro.umontreal.ca
Mon Oct 4 09:56:26 EDT 1999 

Jeff <jam at quark.emich.edu> writes:

> I have need to write a firewall configuration script in python, and
> one of my design goals is that python not act as just another /bin/bash
> replacement.  what I'd like is a module that knows how to directly make
> the ioctl calls described in the ipfw(4) man page (so I don't have to
> resort to 'os.system("/sbin/ipchains -F")', which looks ugly).

I worked on about the same problem this weekend.  I still do not feel ready
to dive into a C interface.  I did not want to repeatedly do `os.system',
which would surely incurs a lot of overhead.  As a compromise, even if
far from being a speed winner, I do the equivalent of "popening" `/bin/sh'
and feeding it with the generated `ipfwadm' or `ipchains' commands, so at
least, the shell is called only once, instead of once per command.  Still,
the shell has to decode the command text that my Python script generates,
and repeatedly fork the program: much less than ideal.

Enough problems with organising the chains, I told to myself, no need to
tackle too many problems at once and drawn myself: I'll live with the slow
speed in the meantime, and probably for a long while.  What I would love
to have, however, is a Tkinter interface to drive all this, as my users
are quite lost if they cannot "click easy", and I would like to give them
the possibility to dig momentary tunnels without having to call me.

I would like to seek some generality in my things, but I hardly see how.
Things are so tuned to of our particular setup, that it seems to me that
making things general enough to be exportable, sharable or publishable
would require an effort which is inordinate with our real needs.  Moreover,
to be fully honest, playing such games is far from being my preferred bag,
anyway.  I still hardly accept that there are bad guys on this planet:
this is really not the world I was hoping for in my youth :-).  Life would
be *so* easier without them.  Good guys should kill all the bad guys! :-)

> I am willing to work on the project, but I thought I saw *something*
> whiz by on the mailing list regarding this same issue.

I do not clearly see how we could put our efforts in common, nor what I
can bring which you would not already know, but yet, I'm open to fruitful
collaboration, if it can be organised easily and time-economically! :-)

-- 
François Pinard   http://www.iro.umontreal.ca/~pinard

More information about the Python-list mailing list