How to programmatically access iptables?

Question

Is there a way we can query iptables programmatically without making use of shell script? I don't have liberty of using shell script to run iptables command and grep output. Is there a native (API) level access to iptables using GNU C? At the bare minimum I would like to query default policy of iptables.

I was hoping to use /proc file system but I don't think its implemented yet.

Answer 1

You can interface with the iptables library called libiptc.

That's how I have created my Perl interface to iptables: CPAN IPTables::libiptc

But the libiptc library only gives you an API to the basic chain structures. Accessing and parsing the individual rules is a bit more complicated, as it depends on dyn-loading the shared libs of the individual target/match modules.

My approach in my CPAN module is that I have linked with do_command() from iptables.c, for doing rule changes.

Another thing you need to know is:

That a single iptables call, perform these actions:

1. Copy the entire ruleset from the kernel to userspace
2. Parse it with libiptc
3. Perform one or several changes (usually just one change via iptables cmd)
4. Transform it to kernel blob format, by libiptc
5. Copy the entire (new) ruleset from userspace to kernel.

Thus, a heavy process, if you only make a single change each time. But you can also use this to your advantage, and perform many changes at once, and have these appear as a single atomic change, by/for the kernel.

Answer 2

So it looks like there isn't any way and it's been acknowledged by Netfilter group.

See SO question, How can I programmatically manage iptables rules on the fly?