For those of you who are a little brave, libiptc
has a group of functions to directly modify the firewalling rules and
statistics (use of iptables is really the safest way).
These functions are not covered by this HOWTO and I will limit myself
to presenting improved information taken from
libiptc.h and the
Linux netfilter Hacking HOWTO by Rusty Russell.
Name: iptc_commit
Usage: Makes the actual changes.
Prototype: int iptc_commit(iptc_handle_t *handle)
Description: The tables that you change are not written back until the
iptc_commit() function is called. This means it
is possible for two library users operating on the same chain to race
each other; locking would be required to prevent this, and it is not
currently done. There is no race with counters, however; counters are
added back in to the kernel in such a way that counter increments
between the reading and writing of the table still show up in the new
table. To protect the status of the system you must commit
your changes.
Parameters: handle is a pointer to a structure of type
iptc_handle_t that was obtained by a previous call
to iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_insert_entry
Usage: Insert a new rule in a chain.
Prototype: int iptc_insert_entry(const ipt_chainlabel chain, const struct ipt_entry *e,
unsigned int rulenum, iptc_handle_t *handle)
Description: This function insert a rule defined in structure type
ipt_entry in chain chain into
position defined by integer value rulenum. Rule numbers
start at 1 for the first rule.
Parameters: chain is a char pointer to the name of the chain to
be modified; e is a pointer to a structure of type
ipt_entry that contains information about the rule to
be inserted. The programmer must fill the fields of this structure with
values required to define his or her rule before passing the pointer as
parameter to the function. rulenum is an integer
value defined the position in the chain of rules where the new rule will
be inserted. Rule numbers start at 1 for the first rule.
handle is a pointer to a structure of type
iptc_handle_t that was obtained by a previous call to
iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_replace_entry
Usage: Replace an old rule in a chain with a new one.
Prototype: int iptc_replace_entry(const ipt_chainlabel chain, const struct ipt_entry *e,
unsigned int rulenum, iptc_handle_t *handle)
Description: This function replace the entry rule in chain chain
positioned at rulenum with the rule defined in structure
type ipt_entry. Rule numbers start at 1 for the first rule.
Parameters: chain is a char pointer to the name of the chain to
be modified; e is a pointer to a structure of type
ipt_entry that contains information about the rule to
be inserted. The programmer must fill the fields of this structure with
values required to define his or her rule before passing the pointer as
parameter to the function. rulenum is an integer
value defined the position in the chain of rules where the old rule will
be replaced by the new one. Rule numbers start at 1 for the first rule.
handle is a pointer to a structure of type
iptc_handle_t that was obtained by a previous call to
iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_append_entry
Usage: Append a new rule in a chain.
Prototype: int iptc_append_entry(const ipt_chainlabel chain, const struct ipt_entry *e,
iptc_handle_t *handle)
Description: This function append a rule defined in structure type
ipt_entry in chain chain
(equivalent to insert with rulenum = length of chain).
Parameters: chain is a char pointer to the name of the chain to
be modified; e is a pointer to a structure of type
ipt_entry that contains information about the rule to
be appended. The programmer must fill the fields of this structure with
values required to define his or her rule before passing the pointer as
parameter to the function. handle is a pointer to a
structure of type iptc_handle_t that was obtained by
a previous call to iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_delete_num_entry
Usage: Delete a rule in a chain.
Prototype: int iptc_delete_num_entry(const ipt_chainlabel chain, unsigned int rulenum,
iptc_handle_t *handle)
Description: This function delete the entry rule in chain chain
positioned at rulenum. Rule numbers start at 1 for the
first rule.
Parameters: chain is a char pointer to the name of the chain to
be modified; rulenum is an integer value defined the
position in the chain of rules where the rule will be deleted.
handle is a pointer to a structure of type
iptc_handle_t that was obtained by a previous call to
iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_flush_entries
Usage: Empty a chain.
Prototype: int iptc_flush_entries(const ipt_chainlabel chain, iptc_handle_t *handle)
Description: This function flushes the rule entries in the given chain (ie. empties chain).
Parameters: chain is a char pointer to the name of the chain to
be flushed; handle is a pointer to a structure of type
iptc_handle_t that was obtained by a previous call to
iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_zero_entries
Usage: Zeroes the chain counters.
Prototype: int iptc_zero_entries(const ipt_chainlabel chain, iptc_handle_t *handle)
Description: This function zeroes the counters in the given chain.
Parameters: chain is a char pointer to the name of the chain
which counters will be zero; handle is a pointer
to a structure of type iptc_handle_t that was obtained
by a previous call to iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_create_chain
Usage: Create a new chain.
Prototype: int iptc_create_chain(const ipt_chainlabel chain, iptc_handle_t *handle)
Description: This function create a new chain in the table.
Parameters: chain is a char pointer to the name of the chain
to be created; handle is a pointer to a structure
of type iptc_handle_t that was obtained by a previous
call to iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_delete_chain
Usage: Delete a chain.
Prototype: int iptc_delete_chain(const ipt_chainlabel chain, iptc_handle_t *handle)
Description: This function delete the chain identified by the char pointer
chain in the table.
Parameters: chain is a char pointer to the name of the chain
to be deleted; handle is a pointer to a structure
of type iptc_handle_t that was obtained by a previous
call to iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_rename_chain
Usage: Rename a chain.
Prototype: int iptc_rename_chain(const ipt_chainlabel oldname, const ipt_chainlabel newname,
iptc_handle_t *handle)
Description: This function rename the chain identified by the char pointer
oldname to a new name newname
in the table.
Parameters: oldname is a char pointer to the name of the chain
to be renamed, newname is the new name;
handle is a pointer to a structure of type
iptc_handle_t that was obtained by a previous
call to iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_set_policy
Usage: Set the policy in a built-in chain.
Prototype: int iptc_set_policy(const ipt_chainlabel chain, const ipt_chainlabel policy,
struct ipt_counters *counters, iptc_handle_t *handle)
Description: This function set the policy in chain chain to the
value represented by the char pointer policy. If you
want to set at the same time the counters of the chain, fill those values
in a structure of type ipt_counters and pass a pointer
to it as parameter counters. Be careful: the chain
must be a built-in chain.
Parameters: chain is a char pointer to the name of the chain to
be modified; policy is a char pointer to the name of
the policy to be set. counters is a pointer to an
ipt_counters structure to be used to set the counters
of the chain. handle is a pointer to a structure of type
iptc_handle_t that was obtained by a previous call to
iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_zero_counter
Usage: Zero counters of a rule in a chain.
Prototype: int iptc_zero_counter(const ipt_chainlabel chain, unsigned int rulenum,
iptc_handle_t *handle)
Description: This function zero packet and byte counters of the entry rule in chain
chain positioned at rulenum.
Rule numbers start at 1 for the first rule.
Parameters: chain is a char pointer to the name of the chain to
be modified; rulenum is an integer value defined the
position in the chain of rules of the rule which counters will be zero.
handle is a pointer to a structure of type
iptc_handle_t that was obtained by a previous call to
iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).
Name: iptc_set_counter
Usage: Set counters of a rule in a chain.
Prototype: int iptc_set_counter(const ipt_chainlabel chain, unsigned int rulenum,
struct ipt_counters *counters, iptc_handle_t *handle)
Description: This function set packet and byte counters of the entry rule in chain
chain positioned at rulenum
with values passed in a type structure ipt_counters.
Rule numbers start at 1 for the first rule.
Parameters: chain is a char pointer to the name of the chain to
be modified; rulenum is an integer value defined the
position in the chain of rules of the rule which counters will be set.
counters is a pointer to an
ipt_counters structure to be used to set the counters
of the rule; the programmer must fill the fields of this structure with
values to be set. handle is a pointer to a structure
of type iptc_handle_t that was obtained by a previous
call to iptc_init.
Returns: Returns integer value 1 (true) if successful; returns integer value 0
(false) if fails. In this case errno is set to the
error number generated. Use iptc_strerror to get a
meaningful information about the problem. If errno == 0, it means there
was a version error (ie. upgrade libiptc).