All of lore.kernel.org
 help / color / mirror / Atom feed
* Managing netfilter/iptables via netlink
@ 2005-08-03 14:41 Adam
  2005-08-05 18:31 ` Harald Welte
  0 siblings, 1 reply; 2+ messages in thread
From: Adam @ 2005-08-03 14:41 UTC (permalink / raw)
  To: netfilter-devel

Hi all,

I need a little clarification regarding Netfilter user-space to
kernel-space IPC. 

I was reading the following article:
http://www.linuxjournal.com/article/7356

The author states: "NETLINK_NFLOG: communication channel for the
user-space iptable management tool and kernel-space Netfilter module."

However, looking into the iptables userspace code, it seems that it
sends directives to the kernel using setsockopt().

My question is this: Is it possible to manage netfilter/iptables from
userspace using netlink? If so, could you point me to some
documentation, or at least some example code? If not, is setsockopt()
currently the only supported mechanism to send firewall directives into
the kernel?

Currently my software uses system("/sbin/iptables ...") for configuring
the firewall, but unfortunately this is no longer an option.

Thanks,
Adam

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Managing netfilter/iptables via netlink
  2005-08-03 14:41 Managing netfilter/iptables via netlink Adam
@ 2005-08-05 18:31 ` Harald Welte
  0 siblings, 0 replies; 2+ messages in thread
From: Harald Welte @ 2005-08-05 18:31 UTC (permalink / raw)
  To: Adam; +Cc: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 1023 bytes --]

On Wed, Aug 03, 2005 at 10:41:35AM -0400, Adam wrote:
> However, looking into the iptables userspace code, it seems that it
> sends directives to the kernel using setsockopt().

yes.

> My question is this: Is it possible to manage netfilter/iptables from
> userspace using netlink? 

no.  the successor of iptables (called pkttables) will hve that
feature, but it's not there yet.

> Currently my software uses system("/sbin/iptables ...") for configuring
> the firewall, but unfortunately this is no longer an option.

please read the list archives.  piping into stdin of iptables-restore
--noflush is the best you can do for now.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-08-05 18:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-03 14:41 Managing netfilter/iptables via netlink Adam
2005-08-05 18:31 ` Harald Welte

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.