Reputation: 11808
iptables c++ control
I need to control inbound and outbound traffic to/from a linux box from within a C++ program. I could call iptables from within my program, but I'd much rather cut out the middle man and access the kernel API functions myself.
I believe I need to use libnfnetlink, however, I have not been able to find any API documentation or example programs.
The rules I need to construct are fairly simple - things like dropping packets with a destination port equal to X etc. I do NOT intend to write a full firewall application.
can anyone suggest a better approach, or provide a link to some documentation or example apps? I'd rather avoid reading the iptables code, but i guess I may have to, if I can't find any better resources.
Upvotes: 12
Views: 5965
Answers (4)
Reputation: 21
In cross platform network( https://bitbucket.org/ptroen/crossplatformnetwork/) I wrote a very elegant IPTables firewall wrapper where you can control the firewall via JSON(up to two different nics). The source is here:
https://bitbucket.org/ptroen/crossplatformnetwork/src/master/Tools/FirewallScript/FirewallScript.cc
Make File here: https://bitbucket.org/ptroen/crossplatformnetwork/src/master/Tools/FirewallScript/FirewallScript.make
Note if their no json file in your filesystem it will generate one for you when you run it the first time.
and the rest of the source is in this folder: https://bitbucket.org/ptroen/crossplatformnetwork/src/master/OSManagement/Firewall/
I also made some remarks in the final report on the operation: https://bitbucket.org/ptroen/crossplatformnetwork/src/master/Cross%20Platform%20High%20Concurrent%20Network%20Framework%20Final%20Report.pdf
I'll just paste what you may have to deal with to get it working: sudo systemctl stop firewalld sudo systemctl disable firewalld install iptables services sudo dnf iptables-services start the iptables service systemctl start iptables.service sudo systemctl restart iptables sudo iptables -L to inspect
The only build dependencies is boost C++.
Upvotes: 0
Reputation: 126
An year back I was having the same requirement and probed around. But after contacting some open source kernel guys this is what I came to know -
The kernel APIs of iptables are not externalised, means to say, they are not documented APIs. In the sense, the APIs can change any moment. They should be used only by the iptables tool. they should not be used by the application developers.
-satish
Upvotes: 10
Reputation: 63538
You should not normally need to change IP tables rules on a regular basis (i.e. frequently at runtime). Therefore calling /sbin/iptables should be fine.
If you're trying to do this, then probably you need to look at an alternative match or target module which contains its own intelligence, or use NFQUEUE to queue the packets into a userspace program which can make its own decision based on criteria which can change as often as it likes (beware of sending too many packets into userspace, it's a potential performance problem)
Upvotes: 2
Reputation: 18107
Why not just get the source to iptables and do it like they do it? Since it is open source....
Upvotes: 1
Related Questions
- iptables input, output rules
- Alternatives for iptables?
- Linux per program firewall similar to windows and mac counterparts
- Creating a firewall using iptables
- Redirect IP-packets to my Application and then send them forward
- Creating firewall rules using iptables
- Executing command line commands on a remote server
- What is best way to develop iptables module
- C++ iptables redirection forming separate packets
- i just want to use the iptables command in my c program