Re: Programming without using iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

El mar, 29-03-2005 a las 18:44 -0800, Suchitra H escribiÃ:
> Hi Everyone ,
>                          I am working on a firewall project , where I need to replace the iptables part ( which is complicated ) with my own code ( hopefully it will be simpler ) , making use of libiptc. The whole idea is to program as though iptables dosent exist and write my own code which is capable of performing all the commands and output the desired results.  I have been able to do so for listing the chains , policy and counters. Now I want to set the policy for a built-in chain.  Is it possible to do so using libiptc ? Or is there any other altrenative to this???
>                  Not able to find any suitable resource on the net. Just one - Querying libiptc - HOWTO , which has been of great help but is very limited. 
>                   Any suggestions , solutions to the above problem would be of great help! 
>  
> Suchitra.

I'd like to advise you that the Querying libiptc HOWTO has a big
error in it's examples, that makes the programas allocate memory
and then not free it. So the programs get bigger and bigger in
memory and you get a DOS.

We discovered this when we wrote the bastion-firewall-stats
daemon, that uses libiptc to read the iptables counters.

We sent an email to the author of the HOWTO but we have not
received any response and the HOWTO it's still untouched.

The trick it's that you have to free the memory after reading
the counters, so the code it's something like:

      if ( !(h = iptc_init(tablename)) )  {
         syslog(LOG_INFO,"bfs error initializing: %s\n", iptc_strerror
(errno))
         exit(errno);
      }

That allocates memory. And then:

      iptc_free(&h);

To free the memory. This line it's the one not included in the
HOWTO.

If you want you can download our GPL code at:
http://www.bgsec.com/downloads.html

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@xxxxxxxxx
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÃA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux