5

Is there a way we can query iptables programmatically without making use of shell script? I don't have liberty of using shell script to run iptables command and grep output. Is there a native (API) level access to iptables using GNU C? At the bare minimum I would like to query default policy of iptables.

I was hoping to use /proc file system but I don't think its implemented yet.

Jeff Mercado
  • 129,526
  • 32
  • 251
  • 272
gauravphoenix
  • 2,814
  • 3
  • 25
  • 33
  • The usual answer to such question is to try `strace`-ing or `ltrace`-ing the command you want, e.g. `strace iptables -L` – Basile Starynkevitch Dec 22 '11 at 11:24
  • 1
    possible duplicate of [How can I programmatically manage iptables rules on the fly?](http://stackoverflow.com/questions/109553/how-can-i-programmatically-manage-iptables-rules-on-the-fly) –  Mar 06 '15 at 23:24

5 Answers5

6

You can interface with the iptables library called libiptc.

That's how I have created my Perl interface to iptables: CPAN IPTables::libiptc

But the libiptc library only gives you an API to the basic chain structures. Accessing and parsing the individual rules is a bit more complicated, as it depends on dyn-loading the shared libs of the individual target/match modules.

My approach in my CPAN module is that I have linked with do_command() from iptables.c, for doing rule changes.

Another thing you need to know is:

That a single iptables call, perform these actions:

  1. Copy the entire ruleset from the kernel to userspace
  2. Parse it with libiptc
  3. Perform one or several changes (usually just one change via iptables cmd)
  4. Transform it to kernel blob format, by libiptc
  5. Copy the entire (new) ruleset from userspace to kernel.

Thus, a heavy process, if you only make a single change each time. But you can also use this to your advantage, and perform many changes at once, and have these appear as a single atomic change, by/for the kernel.

Alexis Wilke
  • 19,179
  • 10
  • 84
  • 156
NetOptimizer
  • 71
  • 1
  • 5
  • Notice, that the command: `iptables-restore` uses the smart approach of doing many changes before submitting the changes to the kernel. – NetOptimizer Oct 01 '12 at 19:01
3

So it looks like there isn't any way and it's been acknowledged by Netfilter group.

See SO question, How can I programmatically manage iptables rules on the fly?

Community
  • 1
  • 1
gauravphoenix
  • 2,814
  • 3
  • 25
  • 33
  • What about requesting more modest info: If I just want to know then number of rules in table filter, chain FORWARD? – Bram Jan 22 '23 at 21:22
0

As I said in a comment, by ltrace-ing iptables -L, I fould that there is an iptables-dev package on my Debian/Sid with libipq and related libraries. You probably might want to use it.

Basile Starynkevitch
  • 223,805
  • 18
  • 296
  • 547
0

I would use the proc-fileystem under /proc/net/ Have a look at http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.9 and look for proc (in different questions)

Nikodemus RIP
  • 1,369
  • 13
  • 20
0

Hm why shouln't he look into the sources of iptables to get an idea? I can not see why one would use strace to figure it out if the sources just contains the needed code.

Friedrich
  • 5,916
  • 25
  • 45