iptables c++ control

Asked 28/8, 2009 at 15:4 Answered 2/3, 2022 at 6:48

I need to control inbound and outbound traffic to/from a linux box from within a C++ program. I could call iptables from within my program, but I'd much rather cut out the middle man and access the kernel API functions myself.

I believe I need to use libnfnetlink, however, I have not been able to find any API documentation or example programs.

The rules I need to construct are fairly simple - things like dropping packets with a destination port equal to X etc. I do NOT intend to write a full firewall application.

can anyone suggest a better approach, or provide a link to some documentation or example apps? I'd rather avoid reading the iptables code, but i guess I may have to, if I can't find any better resources.

Sextans answered 28/8, 2009 at 15:4 Comment(2)

This is a dup of #110053 – Splurge 17/5, 2011 at 22:24

If you worry about popen/vfork overhead you can use another process to stack up all iptables changes and commit them once in a while with iptables-restore. – Snowball 18/2, 2012 at 10:4

An year back I was having the same requirement and probed around. But after contacting some open source kernel guys this is what I came to know -

The kernel APIs of iptables are not externalised, means to say, they are not documented APIs. In the sense, the APIs can change any moment. They should be used only by the iptables tool. they should not be used by the application developers.

-satish

Peacemaker answered 28/8, 2009 at 17:33 Comment(2)

As Mark said, no one can stop you from using it, as it is open source. But, should be careful as the APIs can change when a need arises. Then your application needs to take care of changes in the behavior of the APIs. – Peacemaker 28/8, 2009 at 17:41

+1 interesting info. I guess Thomi will do lots of popen("iptables ...") – Amati 28/8, 2009 at 17:50

You should not normally need to change IP tables rules on a regular basis (i.e. frequently at runtime). Therefore calling /sbin/iptables should be fine.

If you're trying to do this, then probably you need to look at an alternative match or target module which contains its own intelligence, or use NFQUEUE to queue the packets into a userspace program which can make its own decision based on criteria which can change as often as it likes (beware of sending too many packets into userspace, it's a potential performance problem)

Rose answered 29/8, 2009 at 22:55 Comment(0)

Why not just get the source to iptables and do it like they do it? Since it is open source....

Bistre answered 28/8, 2009 at 17:31 Comment(1)

because I need a stable interface - not one that can change at any moment. – Sextans 31/8, 2009 at 14:10

In cross platform network( https://bitbucket.org/ptroen/crossplatformnetwork/) I wrote a very elegant IPTables firewall wrapper where you can control the firewall via JSON(up to two different nics). The source is here:

https://bitbucket.org/ptroen/crossplatformnetwork/src/master/Tools/FirewallScript/FirewallScript.cc

Make File here: https://bitbucket.org/ptroen/crossplatformnetwork/src/master/Tools/FirewallScript/FirewallScript.make

Note if their no json file in your filesystem it will generate one for you when you run it the first time.

and the rest of the source is in this folder: https://bitbucket.org/ptroen/crossplatformnetwork/src/master/OSManagement/Firewall/

I also made some remarks in the final report on the operation: https://bitbucket.org/ptroen/crossplatformnetwork/src/master/Cross%20Platform%20High%20Concurrent%20Network%20Framework%20Final%20Report.pdf

I'll just paste what you may have to deal with to get it working: sudo systemctl stop firewalld sudo systemctl disable firewalld install iptables services sudo dnf iptables-services start the iptables service systemctl start iptables.service sudo systemctl restart iptables sudo iptables -L to inspect

The only build dependencies is boost C++.

Pedersen answered 2/3, 2022 at 6:48 Comment(0)

Recommended topics

Hot tags