ya,
I faced same issue, the ipt library cannot be used directly. They
warned in the Readme.
You can do fork-exec of iptables or iptables-restore
On Mon, Nov 24, 2014 at 8:58 PM, Vijay Kumar K <kvijay@xxxxxxxxx> wrote:
> Hi Vishy,
> Thanks for the quick response, we have tried with command line, that
> seems to work fine. But we need to use it through a program, are there any
> known issues with iptables library for this kind of usage? What options we
> have to reuse the iptables in a programming model instead of command line to
> add rules to allow or drop packets on specific NICs?
>
> Please clarify.
>
> Thanks&Regards
> VijayK
>
> On Tue, Nov 25, 2014 at 2:06 AM, Vijay Viswanathan <vijay.vishy@xxxxxxxxx>
> wrote:
>>
>> Have you tried it from command line iptables ... ?
>> The readme of iptables says not to use library/API.
>>
>> On Mon, Nov 24, 2014 at 6:12 AM, Vijay Kumar K <kvijay@xxxxxxxxx> wrote:
>> > Hi ,
>> > I am using iptables library 1.4.15 on my linux machine and building
>> > it to define and add the iptables rules. And I have multiple NIC
>> > cards("eth0" and "eth1") on my machine and i need to add the rules
>> > specific to some of these NICs. Allow and drop rules are working fine
>> > as long as the NIC is not specified, but when I add rule with the
>> > specific NIC name like "eth0" to drop packets,
>> > i see it is droping packets for all the interfaces. Is there any known
>> > issue with specifying NIC name.
>> >
>> > the invocation path is like this:
>> > addMyRule(srcIp, srcIpNetmask, destIp, destIpNetmask,nicName,
>> > proto, sport_min,sport_max, dport_min, dport_max,precedence, action,
>> > 0) -> iptc_insert_entry
>> > Invocation with the values: addMyRule(inaddr_any, 0, inaddr_any,
>> > 0,"eth0", 0, 0, 65535,80,80,2,0,0)
>> > In the implementation of addMyRule, ipt_entry is instantiated and NIC
>> > name is copied to "iniface" attribute of the "ipt_ip" in "ipt_entry"
>> > e = (struct ipt_entry *)malloc(total_length);
>> > if (nicName)
>> > {
>> > strcpy(e->ip.iniface, nicName)
>> > }
>> >
>> > I searched in the net for the known issues, but I could not find any
>> > related. Any help in this regard would be highly appreciated.
>> >
>> > Thanks&Regards
>> > Vijay
>> > --
>> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> > the body of a message to majordomo@xxxxxxxxxxxxxxx
>> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
