views:

2218

answers:

7

I need to query existing rules, as well as being able to easily add and delete rules. I haven't found any APIs for doing this, is there something that I'm missing?

The closest I've come to a solution is using iptables-save | iptables-xml for querying, and manually calling the iptables command itself to add/delete rules. Another solution I've considered is simply regenerating the entire ruleset out of my application's database and flushing the whole chain, then applying it again - I want to avoid this as I don't want to drop any packets (unless there's a way to atomically do this?). I'm wondering if there's a better way.

An API in C would be great, however as I'm planning to build this into a stand-alone suid program, libraries that do this in ANY language are fine too.

+3  A: 

There is deliberately no API to manage these rules. You're not supposed to want to do so. Or something.

If you need rules which are sufficiently dynamic you care about the performance of executing /sbin/iptables, there are other ways to do it:

  • Using something like the "recent" match or ip set matching, you can add/remove IP addresses from black/white lists without changing the rule set.
  • You can pass packets into userspace for filtering using NFQUEUE
MarkR
It seems silly to me that there's no API for this.I don't really care about the performance as such, but calling iptables feels like a horribly hacky way of doing things.
Ycros
Hmm, I could use ipsets - and from a performance perspective it's a really good idea. Unfortunately I'd have to roll my own kernel, and this isn't possible as some of the places this software will run is on VMs where I can't mess with the kernel easily. And they still don't provide a nice API.
Ycros
ipt_recent is a standard iptables match target which allows you to dynamically add/remove IP addresses from a set by writing to a file in /proc without changing the rules. On the other hand, it's not intended for large sets of IPs and seems to have a fixed maximum limit.
MarkR
A: 

MarkR's right, you're not supposed to do this. The easiest way is to call iptables from the script or to write the iptables config and 'restore' it.

Still, if you want to, read the source of iptables. iptables uses matches and tables as shared objects. You can use the source or them.

The Linux netfilter also has some include files under /usr/include/netfilter*. These are somewhat low-level functions. It is what iptables uses. This is as near an API as one can get without iptables.

But this API is 'messy'. Bear in mind that it was designed to be used only by iptables. It's not very well documented, you can hit very specific problems, the API can change fairly quick without any warning, so an upgrade propably will break your code, etc.

terminus
I can accept that using internal APIs is bad, but why is this so bad that they would deliberately not include a public API? I might go with doing a restore if I can do a restore of a single chain - I'll have to do some testing.
Ycros
Yes, you can restore a single chain. :-)
Chris Jester-Young
There, in the answer.
terminus
A: 

As far as I understand (although no reference seems to mention it), iptables-restore is atomic. At the end, when the COMMIT line is read, iptables calls iptc_commit in libiptc (which in an internal interface you aren't supposed to use), which then calls setsockopt(SO_SET_REPLACE) with your new rulesets.

That sounds about as atomic as you can get: with one kernel call. However, more knowledgeable parties are invited to dispute this. :-)

Chris Jester-Young
+2  A: 

From the netfilter FAQ:

The answer unfortunately is: No.

Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was NEVER meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway.

We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance.

Eric Lathrop
I wonder why the FAQ doesn't address the issue of atomicity. It should; I've gone to the trouble of looking at the implementation of iptables-restore just to make sure it's atomic. It's important to the OP here, and I've had a project that required it too.
Chris Jester-Young
This netfilter mailing list post says iptables-restore is atomic:http://www.mail-archive.com/[email protected]/msg00456.html
Eric Lathrop
+2  A: 

Using iptables-save and iptables-restore to query and regenerate rules is easily the most efficient way of doing it. These used to, once, be shell scripts, but now they are C programs that work very efficiently.

However, I should point out that there is a tool that you can use which will make maintaining iptables much easier. Most dynamic rulesets are really the same rule repeated many times, such as:

iptables -A INPUT -s 1.1.1.1 -p tcp -m --dport 22 -j ACCEPT
iptables -A INPUT -s 2.2.2.0/24 -p tcp -m --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j REJECT

Instead of replacing those rules every time you want to change what ports can access port 22 (useful for say, port knocking), you can use ipsets. Viz:

ipset -N ssh_allowed nethash
iptables -A ssh_allowed -m set --set ssh_allowed src -p tcp -m --dport 22 -j ACCEPT
ipset -A ssh_allowed 1.1.1.1
ipset -A ssh_allowed 2.2.2.0/24

Sets can hold ip addresses, networks, ports, mac addresses, and have timeouts on their records. (Ever wanted to add something for just an hour?).

There is even an atomic way of swapping one set with another, so a refresh means creating a new temporary set, then swapping it in as the name of the existing set.

Jerub
Aye, the top answer mentioned ipsets, but as I said in a comment there - it requires a kernel module which isn't in Ubuntu by default, and it's not something I can install on any of the VMs that I use.
Ycros
Yep, I reported that bug in January '07. https://bugs.launchpad.net/ubuntu/+source/ipset/+bug/79182
Jerub
A: 

http://code.google.com/p/netfilter-api/

I can't believe this guy is really writing an API for netfilter that is based on a desktop toolkit! Just write it in C/C++ without the reliance on QT. What happens with someone wants to use it and they don't want to install QT? They'll probably fork the project :(
Steve Lazaridis
A: 

Man, this is ugly! iptables is not atomic between runs and this means you have to deal with text which is dead slow. Having the IPTC library was at least practical even if it breaks with each other version, that would be our problem!

Now that means my great tool does not work on newer versions of Linux 8-(

Alexis Wilke