py-pf

py-pf is a pure-Python module that allows you to manage OpenBSD's Packet Filter from Python scripts. Packet Filter is OpenBSD's firewalling subsystem, renowned for its performance and security and providing, among other features:

  • stateful filtering of TCP/IP traffic
  • Network Address translation
  • packets normalization and reassembly
  • bandwidth control and packet prioritization
  • traffic filtering based on OS fingerprint

py-pf allows you to control all these functions from Python in a very simple and flexible way.

Well, you might object that OpenBSD already provides a powerful utility for controlling Packet Filter, pfctl(8), which covers the most commonly used functions. It's true, but nevertheless, py-pf aims to provide something different: a scripting tool that brings together the flexibility of Packet Filter's C API and the power of Python, making it easier to parse and manage PF data (such as addresses, rules, state tables, etc.) and to integrate firewalling capabilities in more complex applications.

Similarly to pfctl(8), py-pf sends commands to the kernel through the ioctl(2) interface provided by the pf(4) pseudo-device; this allows Python to natively communicate with the kernel, thanks to the fcntl and ctypes modules, with no need to write a specific C extension module.

py-pf is still under development, but already supports most of Packet Filter's functionalities, including:

  • starting and stopping packet filtering and bandwidth control (ALTQ);
  • retrieving the current ruleset, loading and removing rules, nesting rulesets with anchors;
  • managing address tables;
  • configuring Packet Filter's runtime options;
  • retrieving the internal packet filter statistics and counters;
  • managing state tables, including the ability to selectively kill specific states;
  • handling of packet queueing and prioritization;

OS fingerprint support will be added in the next future.

News

Oct 27, 2012
py-pf-0.0.9 released! Updated to OpenBSD 5.2, including some minor bug fixing and some new features like ruleset optimization and a high-level pf.lib module for quickly writing new rulesets.
Jun 28, 2012
py-pf-0.0.8 released! Updated to OpenBSD 5.1 and migrated from SourceForge to GitHub. Some major code reworking was done on module names and structure, thanks to input from Duncan McGreggor from DreamHost.
Nov 22, 2011
Py-PF-0.0.7 released! Updated to OpenBSD 5.0 and now supporting divert-* options and the collection of per-interface statistics!
Jul 9, 2011
Py-PF-0.0.6 released! Now supporting packet queueing with ALTQ!
Jan 19, 2011
Py-PF-0.0.5 released! It is now updated to OpenBSD 4.8, including the major changes that the PF stack has undergone over the last releases.
Jul 26, 2009
Py-PF-0.0.4 released! Tables support has been largely improved. Now address tables can be included in rulesets, in order to load them along with the rules referencing them; statistics are available also for tables through the PacketFilter.get_tstats() method.
Mar 22, 2009
Py-PF-0.0.3 released! Part of the code has been rewritten and some classes (PFAddr and PFPort) have been added in order to provide more flexiblity in managing addresses and ports; support for address tables has been included as well, through the PFTable and PFTableAddr classes.
Jul 6, 2008
Py-PF-0.0.2 released! The main additional feature is the ability to load rulesets, by means of the PacketFilter.load_ruleset() method. Also the ability to selectively kill states (based on address family, transport-layer protocol, interface name, and source and destination addresses) has been added, as well as the possibility to manually set the hostid, used by pfsync(4) to identify which host created state table entries.
Apr 26, 2008
Py-PF-0.0.1 released! Please refer to the documentation for the installation notes and a detailed tutorial.
This is just a pre-alpha release: lots of features are still missing and many bugs need to be fixed. Anyway, I hope that someone might find it useful and provide me with feedback and suggestions.

Contacts

Please feel free to send me bug reports, feedback and suggestions by email.

 

Valid XHTML 1.0!

Valid CSS!

Designed by kernel-panic.it