Is IPTables::IPv4 Perl module trustable?

Is IPTables::IPv4 Perl module trustable?

[Bruno Negrão]

[-- Attachment #1: Type: text/plain, Size: 1116 bytes --]

Hi guys,

My question is exactly the one in the e-mail subject: Is IPTables::IPv4
Perl module trustable?

This module is a perl interface to the 'libiptc' library, written by,
Derrik Pates. I'd like to use it in an application.
But I read in netfilter's FAQ the following:

"4.5 Is there an C/C++ API for adding/removing rules?
The answer unfortunately is: No.
Now you might think 'but what about libiptc?'. As has been pointed out
numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used
as a public interface. We don't guarantee a stable interface, and it is
planned to remove it in the next incarnation of linux packet filtering.
libiptc is way too low-layer to be used reasonably anyway.
We are well aware that there is a fundamental lack for such an API, and we
are working on improving that situation. Until then, it is recommended to
either use system() or open a pipe into stdin of iptables-restore. The
latter will give you a way better performance."

Does someone else already tested it before? Does someone else there knows
its internals?

Thanks,
bruno negrão

[-- Attachment #2: Type: text/html, Size: 1556 bytes --]

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[Derrik Pates]

Bruno Negrão wrote:
> My question is exactly the one in the e-mail subject: Is IPTables::IPv4
> Perl module trustable?
> 
> This module is a perl interface to the 'libiptc' library, written by,
> Derrik Pates. I'd like to use it in an application.
> But I read in netfilter's FAQ the following:
> 
> "4.5 Is there an C/C++ API for adding/removing rules?
> The answer unfortunately is: No.
> Now you might think 'but what about libiptc?'. As has been pointed out
> numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used
> as a public interface. We don't guarantee a stable interface, and it is
> planned to remove it in the next incarnation of linux packet filtering.
> libiptc is way too low-layer to be used reasonably anyway.
> We are well aware that there is a fundamental lack for such an API, and we
> are working on improving that situation. Until then, it is recommended to
> either use system() or open a pipe into stdin of iptables-restore. The
> latter will give you a way better performance."

The ways they suggest will work, but not very well, and they're really 
quite ugly. Yes, a whole new userspace tool for managing netfilter rules 
will eventually be written - but that's still a ways off, and until the 
kernel side interface changes, the libiptc code which I'm using from the 
iptables codebase will continue to work just fine, thank you.

> Does someone else already tested it before? Does someone else there knows
> its internals?

I don't really know what you're saying here. But really, you can test it 
any way you need to, or have whoever you want test it for you - the 
source is there for your (or anybody's) perusal. It incorporates a fair 
amount of code on top of libiptc so that you don't have to know the raw 
data structures, and generally makes things a good bit nicer than 
calling libiptc directly, and way cleaner than assembling command lines 
and using system() to call out to iptables (I've tried that before, long 
ago, and it caused me great pain. Or maybe that was just lunch one 
day... I forget now.)

-- 
Derrik Pates
dpates@dsdk12.net

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[Alex Ongena]

Hi,

We are using it already for a long time and on many
systems and it works well (for us).

Thanks to Derek for this

Regards
alex

On Sat, 2004-07-24 at 01:34, Bruno Negrão wrote:
> Hi guys,
> 
> My question is exactly the one in the e-mail subject: Is
> IPTables::IPv4
> Perl module trustable?
> 
> This module is a perl interface to the 'libiptc' library, written by,
> Derrik Pates. I'd like to use it in an application.
> But I read in netfilter's FAQ the following:
> 
> "4.5 Is there an C/C++ API for adding/removing rules?
> The answer unfortunately is: No.
> Now you might think 'but what about libiptc?'. As has been pointed out
> numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be
> used
> as a public interface. We don't guarantee a stable interface, and it
> is
> planned to remove it in the next incarnation of linux packet
> filtering.
> libiptc is way too low-layer to be used reasonably anyway.
> We are well aware that there is a fundamental lack for such an API,
> and we
> are working on improving that situation. Until then, it is recommended
> to
> either use system() or open a pipe into stdin of iptables-restore. The
> latter will give you a way better performance."
> 
> Does someone else already tested it before? Does someone else there
> knows
> its internals?
> 
> Thanks,
> bruno negrão
> 

--
aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)