My question is exactly the one in the e-mail subject: Is IPTables::IPv4 Perl module trustable?
This module is a perl interface to the 'libiptc' library, written by, Derrik Pates. I'd like to use it in an application. But I read in netfilter's FAQ the following:
"4.5 Is there an C/C++ API for adding/removing rules? The answer unfortunately is: No. Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway. We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance."
The ways they suggest will work, but not very well, and they're really quite ugly. Yes, a whole new userspace tool for managing netfilter rules will eventually be written - but that's still a ways off, and until the kernel side interface changes, the libiptc code which I'm using from the iptables codebase will continue to work just fine, thank you.
Does someone else already tested it before? Does someone else there knows its internals?
I don't really know what you're saying here. But really, you can test it any way you need to, or have whoever you want test it for you - the source is there for your (or anybody's) perusal. It incorporates a fair amount of code on top of libiptc so that you don't have to know the raw data structures, and generally makes things a good bit nicer than calling libiptc directly, and way cleaner than assembling command lines and using system() to call out to iptables (I've tried that before, long ago, and it caused me great pain. Or maybe that was just lunch one day... I forget now.)
-- Derrik Pates dpates@xxxxxxxxxx
