NAME

IPTables::libiptc - Perl extension for iptables libiptc

SYNOPSIS

use IPTables::libiptc;

$table = IPTables::libiptc::init('filter');

$table->create_chain("mychain");

# Its important to commit/push-back the changes to the kernel
$table->commit();

DESCRIPTION

This package provides a perl interface to the netfilter/iptables C-code and library libiptc.

Advantages of this module: Many rule changes can be done very fast. Several rule changes is committed atomically.

This module is heavily inspired by the CPAN module IPTables-IPv4. The CPAN module IPTables-IPv4 could not be used because it has not been keept up-to-date, with the newest iptables extentions. This is a result of the module design, as it contains every extention and thus needs to port them individually.

This package has another approach, it links with the systems libiptc.a library and depend on dynamic loading of iptables extensions available on the system.

CHANGES: as libiptc.c contained some bugs, it has been necessary to include it the module and compile libiptc.a our self. The module still depends on the iptables extensions being available on the system. This unfortunatly makes a dependency to iptables version 1.3.4.

NOTE: The bug has been fixed (by me) and included in iptables release 1.3.6.

The module only exports the libiptc chain manipulation functions. All rule manipulations are done through the iptables.c do_command function. As iptables.c is not made as a library, the package unfortunally needs to maintain/contain this C file.

Iptables kernel to userspace design

The reasoning behind making this module comes from how iptables/libiptc communicate with the kernel. Iptables/libiptc transfers the entire ruleset from kernel to userspace, and back again after making some changes to the ruleset.

This is a fairly large operation if only changing a single rule. That is actually the behavior of the iptables command.

Thus, with this knowledge it make sense to make several changes before commit'ing the changes (entire ruleset) back to the kernel. This is the behavior/purpose of this perl module.

This is also what makes it so very fast to many rule changes. And gives the property of several rule changes being committed atomically.

METHODS

Most methods will return 1 for success, or 0 for failure (and on failure, set $! to a string describing the reason for the failure). Unless otherwise noted, you can assume that all methods will use this convention.

Chain Operations

get_policy

my ($policy)                      = $table->get_policy('chainname');
my ($policy, $pkt_cnt, $byte_cnt) = $table->get_policy('chainname');

This returns an array containing the default policy, and the number of packets and bytes which have reached the default policy, in the chain chainname. If chainname does not exist, or if it is not a built-in chain, an empty array will be returned, and $! will be set to a string containing the reason.

set_policy

$success = $table->set_policy('chainname', 'target');
$success = $table->set_policy('chainname', 'target', 'pkt_cnt', 'byte_cnt');
($success, $old_policy, $old_pkt_cnt, $old_pkt_cnt) = $table->set_policy('chainname', 'target');

Sets the default policy. set_policy can be called severaly ways. Upon success full setting of the policy the old policy and counters are returned. The counter setting values are optional.

create_chain

$success = $table->create_chain('chainname');

is_chain

$success = $table->is_chain('chainname');

Checks if the chain exist.

buildin

$success = $table->builtin('chainname');

Tests if the chainname is a buildin chain.

delete_chain

$success = $table->delete_chain('chainname');

Tries to delete the chain, returns false if it could not.

get_references

$refs = $table->get_references('chainname');

Get a count of how many rules reference/jump to this chain.

Listing Operations

list_chains

@array            = $table->list_chains();
$number_of_chains = $table->list_chains();

Lists all chains. Returns the number of chains in SCALAR context.

list_rules_IPs

@array           = $table->list_rules_IPs('type', 'chainname');
$number_of_rules = $table->list_rules_IPs('type', 'chainname');

This function lists the (rules) source or destination IPs from a given chain. The type is either src or dst for source and destination IPs. The netmask is also listed together with the IPs, but seperated by a / character. If chainname does not exist undef is returned.

Rules Operations

No rules manipulation functions is mapped/export from libiptc, instead the iptables do_command function is exported to this purpose.

Iptables commands (from iptables.h)

iptables_do_command

$table->iptables_do_command(\@array_ref)

Example of an array which contains a command:

my @array = ("-I", "test", "-s", "4.3.2.1", "-j", "ACCEPT");
$table->iptables_do_command(\@array);

EXPORT

None by default.

Exportable constants

IPT_MIN_ALIGN

SEE ALSO

Module source also available here: http://people.netfilter.org/hawk/perl_modules/

The Netfilter/iptables homepage: http://www.netfilter.org

iptables(8)

AUTHOR

Jesper Dangaard Brouer, <hawk@diku.dk> or <hawk@people.netfilter.org>.

Authors SVN version information

$LastChangedDate: 2008-06-17 16:07:41 +0200 (Tue, 17 Jun 2008) $
$Revision: 590 $
$LastChangedBy: jdb $

COPYRIGHT AND LICENSE

Copyright (C) 2006 by Jesper Dangaard Brouer

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.4 or, at your option, any later version of Perl 5 you may have available.

cpanm IPTables::libiptc

perl -MCPAN -e shell
install IPTables::libiptc