Hi, I'm looking for a way to control an iptables-match from a c/c++-program. My goal is to have a simple match-module which can be told from userspace to either return 0 or 1 in it's match-function (this would be useful for dynamically turning on/off several more complicated rules without inserting/removing them from the ip tables, i.e. without using libiptc (for which I haven't found an easy way on how to use it anyways...) or iptables itself). The netfilter Hacking HOWTO mentions nf_register_sockopt for such tasks (receiving commands from userspace) - is this still the way to go, or is it going to be removed in the (not so far) future (eg. in favor of netlink)? Another way would be the use of sysfs, but it seems to be more for device drivers than this; configfs is still relatively new and probably not available for older kernels... Or is there even a simpler way to do such a thing? Any ideas/hints? Best regards, Manfred.
