Knowing tables change

Knowing tables change

[Sebastien Tricaud]

Hi folks,

I would like to know if there is a way to watch for tables alteration.

I am sure there is a better way than doing "iptables -t table -L" loop 
and compare with previously stored data.

When I look over Internet for possible answers, I can find something 
that would do the job. It seems libpkttnetlink is for this purpose. 
However no developments are latter than 2002. Is it a working stuff and 
nothing has to be improved anymore ?

At a lower level, I can see libnfnetlink is the low level library I can 
also use for it: there is the following quote -> "provides 
open/close/receive functions only to be used by other libraries 
libctnetlink/libpkttnetlink".


Do you know which lib should I use ?


Thanks,
Sebastien Tricaud.

Re: Knowing tables change

[Patrick McHardy]

Sebastien Tricaud wrote:
> Hi folks,
> 
> I would like to know if there is a way to watch for tables alteration.
> 
> I am sure there is a better way than doing "iptables -t table -L" loop
> and compare with previously stored data.

watch -n 1 -d iptables -vxnL :)

> When I look over Internet for possible answers, I can find something
> that would do the job. It seems libpkttnetlink is for this purpose.
> However no developments are latter than 2002. Is it a working stuff and
> nothing has to be improved anymore ?
> 
> At a lower level, I can see libnfnetlink is the low level library I can
> also use for it: there is the following quote -> "provides
> open/close/receive functions only to be used by other libraries
> libctnetlink/libpkttnetlink".

There are no notifications for ruleset updates currently, since
ruleset exchange between kernel and userspace isn't built on
netlink and happens as one atomic operation, so the kernel
doesn't know which rules are new.

Re: Knowing tables change

[Herve Eychenne]

On Mon, Mar 13, 2006 at 03:55:11PM +0100, Patrick McHardy wrote:

> Sebastien Tricaud wrote:
> > Hi folks,
> > 
> > I would like to know if there is a way to watch for tables alteration.
> > 
> > I am sure there is a better way than doing "iptables -t table -L" loop
> > and compare with previously stored data.

> watch -n 1 -d iptables -vxnL :)

> > When I look over Internet for possible answers, I can find something
> > that would do the job. It seems libpkttnetlink is for this purpose.
> > However no developments are latter than 2002. Is it a working stuff and
> > nothing has to be improved anymore ?
> > 
> > At a lower level, I can see libnfnetlink is the low level library I can
> > also use for it: there is the following quote -> "provides
> > open/close/receive functions only to be used by other libraries
> > libctnetlink/libpkttnetlink".

> There are no notifications for ruleset updates currently, since
> ruleset exchange between kernel and userspace isn't built on
> netlink and happens as one atomic operation, so the kernel
> doesn't know which rules are new.

Does listing the rules imply some locking? I guess it can be a costly
operation if the ruleset is big...
It would at least be nice to send a "signal" (via netlink) when the
ruleset is changed, so that third party applications can figure out
the changes themselves only when needed (without having to do regular
active polls).

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/