我如何编程方式管理动态iptables规则? [英] How can I programmatically manage iptables rules on the fly?
问题描述
我需要查询现行规则,以及能够轻松地添加和删除规则。我还没有发现任何API的这样做。有没有办法,我失去了一些东西?
I need to query existing rules, as well as being able to easily add and delete rules. I haven't found any API's for doing this. Is there something that I'm missing?
我来一个解决方案是使用最近的 iptables的保存| iptables的-XML 查询和手动调用iptables命令本身来添加/删除规则。我认为仅仅是重新生成整个规则集了我的应用程序的数据库和冲洗整条产业链,另一种解决方案然后再应用它。但我想避免这种情况,因为我不想将降大任包 - 除非有办法原子做到这一点。我不知道是否有一个更好的办法。
The closest I've come to a solution is using iptables-save | iptables-xml for querying and manually calling the iptables command itself to add/delete rules. Another solution I've considered is simply regenerating the entire ruleset out of my application's database and flushing the whole chain, then applying it again. But I want to avoid this as I don't want to drop any packets -- unless there's a way to atomically do this. I'm wondering if there's a better way.
在C中的API将是巨大的;然而,正如我计划建设成一个独立的SUID程序这一点,在任何语言中实现它的库也没关系。
An API in C would be great; however, as I'm planning to build this into a stand-alone suid program, libraries that do this in ANY language are fine too.
推荐答案
从的 netfilter的常见问题解答:
答案不幸的是还没有
现在你可能会想但什么libiptc如何?。正如已经指出的邮件列表(S)无数次,libiptc如何是的从不的意思是作为一个公共接口。我们不保证稳定的接口,并计划在Linux包过滤的下一个化身将其删除。 libiptc如何是太低层得到合理使用反正
Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was NEVER meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway.
我们都知道,有一个基本的缺乏这样的API,并且我们正在改善这种情况的工作。直到那时,建议任一使用的系统()或打开一个管道进入的标准输入的iptables-恢复。后者会给你一个方法更好的性能。
We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance.
这篇关于我如何编程方式管理动态iptables规则?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
