Reputation: 3082
How to programmatically access iptables?
Is there a way we can query iptables programmatically without making use of shell script? I don't have liberty of using shell script to run iptables command and grep output. Is there a native (API) level access to iptables using GNU C? At the bare minimum I would like to query default policy of iptables.
I was hoping to use /proc file system but I don't think its implemented yet.
Upvotes: 5
Views: 8705
Answers (5)
Reputation: 71
You can interface with the iptables library called libiptc.
That's how I have created my Perl interface to iptables: CPAN IPTables::libiptc
But the libiptc library only gives you an API to the basic chain structures.
Accessing and parsing the individual rules is a bit more complicated, as it depends on dyn-loading the shared libs of the individual target/match modules.
My approach in my CPAN module is that I have linked with do_command() from iptables.c, for doing rule changes.
Another thing you need to know is:
That a single iptables call, perform these actions:
- Copy the entire ruleset from the kernel to userspace
- Parse it with
libiptc - Perform one or several changes (usually just one change via iptables cmd)
- Transform it to kernel blob format, by libiptc
- Copy the entire (new) ruleset from userspace to kernel.
Thus, a heavy process, if you only make a single change each time. But you can also use this to your advantage, and perform many changes at once, and have these appear as a single atomic change, by/for the kernel.
Upvotes: 6
Reputation: 3082
So it looks like there isn't any way and it's been acknowledged by Netfilter group.
See SO question, How can I programmatically manage iptables rules on the fly?
Upvotes: 3
Reputation: 5996
Hm why shouln't he look into the sources of iptables to get an idea? I can not see why one would use strace to figure it out if the sources just contains the needed code.
Upvotes: 0
Reputation: 1379
I would use the proc-fileystem under /proc/net/ Have a look at http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.9 and look for proc (in different questions)
Upvotes: 0
Reputation: 1
As I said in a comment, by ltrace-ing iptables -L, I fould that there is an iptables-dev package on my Debian/Sid with libipq and related libraries. You probably might want to use it.
Upvotes: 0
Related Questions
- How to quickly add rules to iptables from blocklists?
- Automate whitelisting ip addresses in iptables via bash
- How can I programmatically manage iptables rules on the fly?
- call IPtables command within python script
- Run a system command when an IPTables rule is matched
- Interacting with iptables via the command line
- How to find all ip addresses blocked by iptables -A
- How can I change iptable entries using bash script?
- How to manipulate iptables rules from the web script
- How to add multiple ips to a iptables shell script?