linux – 我如何以编程方式管理iptables规则在飞行?

我需要查询现有规则,以及能够轻松添加和删除规则。我没有找到任何API的这样做。有没有我缺少的东西?

我最近的一个解决方案是使用iptables-save | iptables-xml用于查询和手动调用iptables命令本身来添加/删除规则。我考虑的另一个解决方案是简单地从我的应用程序的数据库重新生成整个规则集,并刷新整个链,然后再次应用它。但我想避免这一点,因为我不想丢弃任何数据包 – 除非有一种方式原子地做到这一点。我想知道是否有一个更好的方法。

C中的API将是巨大的;然而,由于我打算将它构建成一个独立的suid程序,所以以任何语言做这个的图书馆也很好。

最佳答案
netfilter FAQ

The answer unfortunately is: No.

Now you might think ‘but what about libiptc?’. As has been pointed out numerous times on the mailinglist(s), libiptc was NEVER meant to be used as a public interface. We don’t guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway.

We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance.

转载注明原文:linux – 我如何以编程方式管理iptables规则在飞行? - 代码日志