On Sat, 11 Dec 2010, James Nurmi wrote:
I realize this has come up a few times, but I'd like to programmatically be able to query and modify IPTables rules, without shelling out. After digging, it would seem theres been some discussion around this issue, but I was unable to find any resolution.
I have created a Perl CPAN module named IPTables::libiptc, for doing iptables manipulation directly from Perl.
The only problem with this Perl module is I have not had time to update it to use the newer libiptc API introduced (by Jan) in 1.4.3. Thus, its only compatible below version 1.4.3.
For curiosities sake, I did a bit of reverse engineering and discovered that the functionality I'm interested in appears to be handled through set/getsockopt and requires a large amount of handling for both COMPAT and not COMPAT kernel compilations, leading to structures potentially being packed differently on the way in then on the way out, so a "trivial" implementation was just out as far as I could tell.
You should use the libiptc for parsing the "blob". Cheers, Jesper Brouer -- ------------------------------------------------------------------- MSc. Master of Computer Science Dept. of Computer Science, University of Copenhagen Author of http://www.adsl-optimizer.dk ------------------------------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
