tags:

views:

267

answers:

3
+5  Q: 

iptables c++ control

I need to control inbound and outbound traffic to/from a linux box from within a C++ program. I could call iptables from within my program, but I'd much rather cut out the middle man and access the kernel API functions myself.

I believe I need to use libnfnetlink, however, I have not been able to find any API documentation or example programs.

The rules I need to construct are fairly simple - things like dropping packets with a destination port equal to X etc. I do NOT intend to write a full firewall application.

can anyone suggest a better approach, or provide a link to some documentation or example apps? I'd rather avoid reading the iptables code, but i guess I may have to, if I can't find any better resources.

A: 

Why not just get the source to iptables and do it like they do it? Since it is open source....

Mark0978  2009-08-28 17:31:52
because I need a stable interface - not one that can change at any moment.
Thomi  2009-08-31 14:10:09
+3  A: 

Hi,

An year back I was having the same requirement and probed around. But after contacting some open source kernel guys this is what I came to know -

The kernel APIs of iptables are not externalisec, means to say, they are not documented APIs. In the sense, the APIs can change any moment. They should be used only by the iptables tool. they should not be used by the application developers.

-satish

Satish  2009-08-28 17:33:03
As Mark said, no one can stop you from using it, as it is open source. But, should be careful as the APIs can change when a need arises. Then your application needs to take care of changes in the behavior of the APIs.
Satish  2009-08-28 17:41:28
+1 interesting info. I guess Thomi will do lots of popen("iptables ...")
neuro  2009-08-28 17:50:20
very interesting - thanks for the info!
Thomi  2009-08-31 14:08:56
+1  A: 

You should not normally need to change IP tables rules on a regular basis (i.e. frequently at runtime). Therefore calling /sbin/iptables should be fine.

If you're trying to do this, then probably you need to look at an alternative match or target module which contains its own intelligence, or use NFQUEUE to queue the packets into a userspace program which can make its own decision based on criteria which can change as often as it likes (beware of sending too many packets into userspace, it's a potential performance problem)

MarkR  2009-08-29 22:55:40

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS