Is libiptc still the preferred library for manipulating tables?

Is libiptc still the preferred library for manipulating tables?

[Warren Kenny]

This subject seems a bit hazy to me at the moment. Basically I'm
writing a network intrusion detection and prevention system for Linux
and I'd like to be able to use Netfilter to block packets coming from
nodes which have been identified as malicious. I'd prefer to avoid the
use of libnetfilter_queue since I'm already using libpcap for packet
analysis and it has some extras that I rely on. Basically I want to
add new tables and rules from within my application in order to filter
out malicious traffic.

There seem to be a lot of different guides on how to do this, most of
which are obsolete, including the guide on libiptc. I need to know the
latest and best way to manipulate iptables rules.

Thanks,
WK

Re: Is libiptc still the preferred library for manipulating tables?

[Pablo Neira Ayuso]

Warren Kenny wrote:
> This subject seems a bit hazy to me at the moment. Basically I'm
> writing a network intrusion detection and prevention system for Linux
> and I'd like to be able to use Netfilter to block packets coming from
> nodes which have been identified as malicious. I'd prefer to avoid the
> use of libnetfilter_queue since I'm already using libpcap for packet
> analysis and it has some extras that I rely on. Basically I want to
> add new tables and rules from within my application in order to filter
> out malicious traffic.
> 
> There seem to be a lot of different guides on how to do this, most of
> which are obsolete, including the guide on libiptc. I need to know the
> latest and best way to manipulate iptables rules.

Unfortunately, libiptc is not a supported as a standalone library, it is 
just a directory inside iptables. The only interface available, at the 
moment, is iptables, the command line tool. You can blame us for not 
providing an appropiate library interface yet.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: Is libiptc still the preferred library for manipulating tables?

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 731 bytes --]

mån 2007-02-26 klockan 13:23 +0100 skrev Pablo Neira Ayuso:

> Unfortunately, libiptc is not a supported as a standalone library, it is 
> just a directory inside iptables. The only interface available, at the 
> moment, is iptables, the command line tool. You can blame us for not 
> providing an appropiate library interface yet.

This said, "iptables-restore -n" is a quite effective and potent batch
interface for rule updates. 

And if it (or actually the underlying iptables code it's using) had an
option for dumping rules in iptables-save format then it could be as
potent for read access as well.. Today iptables-restore can only read
rules to the same level of detail as iptables -L -v.

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Is libiptc still the preferred library for manipulating tables?

[Hal Moroff]

I've been trying for awhile to find this out as well.


I'm working on an appliance and I need to dynamically insert/remove
rules based on
what's happening in the box. I prefer not to resort to
system("itpables yada yada yada")
and so have been trying to  use libiptc.  I've succeeded in inserting
/ removing simple
rules (based only on source IP and destination IP).  I'm struggling
now to understand
how to construct more complex matching rules (destination port).


There's this document:
   http://www.opalsoft.net/qos/libiptc/qlibiptc.html
which is incomplete, but mostly correct as far as it goes.  I offered
to  correct some
errors in the doc, but the author's email address is apparently invalid.


If anyone has any feedback / tips / samples I'd be grateful.

Re: Is libiptc still the preferred library for manipulating tables?

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 908 bytes --]

fre 2007-05-11 klockan 18:34 -0700 skrev Hal Moroff:
> I've been trying for awhile to find this out as well.

Well.. lipiptc is not and has never been an official interface. Has
always been considered an internal API not for reuse by other
applications with the iptables and iptables-save/restore commands being
the official APIs.

> I'm working on an appliance and I need to dynamically insert/remove
> rules based on
> what's happening in the box. I prefer not to resort to
> system("itpables yada yada yada")

An alternative official interface is to popen iptables-restore in the
noflush mode. Gives you a quite smart interface for manipulating
iptables. Syntax is the same as iptables, execpt for how you select
which table to manipulate.

*tablename
iptables command line, without iptables or table selection
[repeat until done with current modification]
COMMIT

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]