IPTables API (redux)

IPTables API (redux)

[James Nurmi]

I realize this has come up a few times, but I'd like to
programmatically be able to  query and modify IPTables rules, without
shelling out.

After digging, it would seem theres been some discussion around this
issue, but I was unable to find any resolution.

Background: the reason is was a hope to write native bindings for Go
for certain chain/table manipulation tasks.

For curiosities sake, I did a bit of reverse engineering and
discovered that the functionality I'm interested in appears to be
handled through set/getsockopt and requires a large amount of handling
for both COMPAT and not COMPAT kernel compilations, leading to
structures potentially being packed differently on the way in then on
the way out, so a "trivial" implementation was just out as far as I
could tell.

While I can successfully communicate with the  netlink (iptables and
not) modules via some custom work, I've been unable to find anything
but references to desires for an NL layer to communicate with IPtables
rather than the get/setsockopt channels, and the general opinion that
"you're doing it wrong if you want this", but just in case there were
hidden developments, I thought I'd poke.

And while it's unlikely I'd be the one to do it, is there a good
technical reason to not have netlink handling the table/chain
manipulation rather than opaque get/set sockopts?

Cheers,
James

Re: IPTables API (redux)

[Jan Engelhardt]

On Sunday 2010-12-12 00:42, James Nurmi wrote:
>I realize this has come up a few times, but I'd like to
>programmatically be able to  query and modify IPTables rules, without
>shelling out.
>
>I've been unable to find anything
>but references to desires for an NL layer to communicate with IPtables

Not with iptables, but see
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.general/41195
for status on it.

Re: IPTables API (redux)

[Jesper Dangaard Brouer]

On Sat, 11 Dec 2010, James Nurmi wrote:

> I realize this has come up a few times, but I'd like to
> programmatically be able to  query and modify IPTables rules, without
> shelling out.
>
> After digging, it would seem theres been some discussion around this
> issue, but I was unable to find any resolution.

I have created a Perl CPAN module named IPTables::libiptc, for doing 
iptables manipulation directly from Perl.

The only problem with this Perl module is I have not had time to update it 
to use the newer libiptc API introduced (by Jan) in 1.4.3.  Thus, its only 
compatible below version 1.4.3.


> For curiosities sake, I did a bit of reverse engineering and
> discovered that the functionality I'm interested in appears to be
> handled through set/getsockopt and requires a large amount of handling
> for both COMPAT and not COMPAT kernel compilations, leading to
> structures potentially being packed differently on the way in then on
> the way out, so a "trivial" implementation was just out as far as I
> could tell.

You should use the libiptc for parsing the "blob".

Cheers,
   Jesper Brouer

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------