From: <vpo...@en...> - 2004-07-23 23:34:10
|
Hi guys, My question is exactly the one in the e-mail subject: Is IPTables::IPv4 Perl module trustable? This module is a perl interface to the 'libiptc' library, written by, Derrik Pates. I'd like to use it in an application. But I read in netfilter's FAQ the following: "4.5 Is there an C/C++ API for adding/removing rules? The answer unfortunately is: No. Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be = used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway. We are well aware that there is a fundamental lack for such an API, and = we are working on improving that situation. Until then, it is recommended = to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance." Does someone else already tested it before? Does someone else there = knows its internals? Thanks, bruno negr=E3o |
From: Derrik P. <dp...@ds...> - 2004-07-24 00:35:59
|
Bruno Negrão wrote: > My question is exactly the one in the e-mail subject: Is IPTables::IPv4 > Perl module trustable? > > This module is a perl interface to the 'libiptc' library, written by, > Derrik Pates. I'd like to use it in an application. > But I read in netfilter's FAQ the following: > > "4.5 Is there an C/C++ API for adding/removing rules? > The answer unfortunately is: No. > Now you might think 'but what about libiptc?'. As has been pointed out > numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used > as a public interface. We don't guarantee a stable interface, and it is > planned to remove it in the next incarnation of linux packet filtering. > libiptc is way too low-layer to be used reasonably anyway. > We are well aware that there is a fundamental lack for such an API, and we > are working on improving that situation. Until then, it is recommended to > either use system() or open a pipe into stdin of iptables-restore. The > latter will give you a way better performance." The ways they suggest will work, but not very well, and they're really quite ugly. Yes, a whole new userspace tool for managing netfilter rules will eventually be written - but that's still a ways off, and until the kernel side interface changes, the libiptc code which I'm using from the iptables codebase will continue to work just fine, thank you. > Does someone else already tested it before? Does someone else there knows > its internals? I don't really know what you're saying here. But really, you can test it any way you need to, or have whoever you want test it for you - the source is there for your (or anybody's) perusal. It incorporates a fair amount of code on top of libiptc so that you don't have to know the raw data structures, and generally makes things a good bit nicer than calling libiptc directly, and way cleaner than assembling command lines and using system() to call out to iptables (I've tried that before, long ago, and it caused me great pain. Or maybe that was just lunch one day... I forget now.) -- Derrik Pates dp...@ds... |
From: <vpo...@en...> - 2004-07-26 18:04:32
|
Hi Derrik and everybody, I'm asking this because i liked your module and i'd like to use it to make some programs to manage a big firewall i have in production here. Since this is an important machine, and your module is so "particular"(it uses C libraries that i don't understand and i don't know how to use or evaluate by myself) , i'm making a little research about it before start using it. Do you have some advice about using your module in procuction machines? Is your module compatible with all 2.4.x kernels? I read in its README file that it cleans all your firewall rules, make some tests, and then it loads all the rules again. It it really doing this? If so, i cant install it remotely neither in the business hours. regards, bruno |
From: Derrik P. <dp...@ds...> - 2004-07-27 02:04:39
|
Bruno Negrão wrote: > I'm asking this because i liked your module and i'd like to use it to make > some programs to manage a big firewall i have in production here. > Since this is an important machine, and your module is so "particular"(it > uses C libraries that i don't understand and i don't know how to use or > evaluate by myself) , i'm making a little research about it before start > using it. Understood. libiptc is a pretty complex piece of code. I don't know that my wrapper approaches its level of complexity, but it's all complicated. > Do you have some advice about using your module in procuction machines? You'd have to ask the people who are using it in production systems. > Is your module compatible with all 2.4.x kernels? To my knowledge. I personally am running 2.6.7 on my main daily-use systems (my office workstation and my PowerBook), but if a recent version of iptables works on the kernel, IPTables::IPv4 will as well. > I read in its README file that it cleans all your firewall rules, make some > tests, and then it loads all the rules again. > It it really doing this? If so, i cant install it remotely neither in the > business hours. I'd suggest downloading the tarball and running 'perl Makefile.PL ; make ; make install' then, instead of installing it using the CPAN shell. It's the 'make test' part that does that. -- Derrik Pates dp...@ds... |
From: Alex O. <Ale...@ab...> - 2004-07-27 07:34:02
|
We used it sucessfully on 2.4.19, 2.4.20, 2.4.22 and 2.4.24 alex On Mon, 2004-07-26 at 20:04, Bruno Negr=E3o wrote: > Hi Derrik and everybody, >=20 > I'm asking this because i liked your module and i'd like to use it to m= ake > some programs to manage a big firewall i have in production here. > Since this is an important machine, and your module is so "particular"(= it > uses C libraries that i don't understand and i don't know how to use or > evaluate by myself) , i'm making a little research about it before star= t > using it. >=20 > Do you have some advice about using your module in procuction machines? >=20 > Is your module compatible with all 2.4.x kernels? >=20 > I read in its README file that it cleans all your firewall rules, make = some > tests, and then it loads all the rules again. > It it really doing this? If so, i cant install it remotely neither in t= he > business hours. >=20 > regards, > bruno >=20 >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick > _______________________________________________ > Iptperl-general mailing list > Ipt...@li... > https://lists.sourceforge.net/lists/listinfo/iptperl-general -- aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) |
From: <vpo...@en...> - 2004-07-27 12:45:55
|
Thanks Alex. And what kind of linux is yours? (mine is redhat) bruno. We used it sucessfully on 2.4.19, 2.4.20, 2.4.22 and 2.4.24 alex On Mon, 2004-07-26 at 20:04, Bruno Negrão wrote: > Hi Derrik and everybody, > > I'm asking this because i liked your module and i'd like to use it to make > some programs to manage a big firewall i have in production here. > Since this is an important machine, and your module is so "particular"(it > uses C libraries that i don't understand and i don't know how to use or > evaluate by myself) , i'm making a little research about it before start > using it. > > Do you have some advice about using your module in procuction machines? > > Is your module compatible with all 2.4.x kernels? > > I read in its README file that it cleans all your firewall rules, make some > tests, and then it loads all the rules again. > It it really doing this? If so, i cant install it remotely neither in the > business hours. > > regards, > bruno > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > _______________________________________________ > Iptperl-general mailing list > Ipt...@li... > https://lists.sourceforge.net/lists/listinfo/iptperl-general -- aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=ick _______________________________________________ Iptperl-general mailing list Ipt...@li... https://lists.sourceforge.net/lists/listinfo/iptperl-general |
From: Alex O. <Ale...@ab...> - 2004-07-28 07:58:36
|
Bruno, We have an own-build distribution, made from scratch. We productize a Complete All-in-one solution (http://www.axsguard.com) (Router/Firewall/VPN/Content Scanning/E-mail/... much more) Regards alex On Tue, 2004-07-27 at 14:45, Bruno Negr=E3o wrote: > Thanks Alex. And what kind of linux is yours? (mine is redhat) >=20 > bruno. >=20 >=20 > We used it sucessfully on 2.4.19, 2.4.20, 2.4.22 and 2.4.24 > alex > On Mon, 2004-07-26 at 20:04, Bruno Negr=E3o wrote: > > Hi Derrik and everybody, > > > > I'm asking this because i liked your module and i'd like to use it to > make > > some programs to manage a big firewall i have in production here. > > Since this is an important machine, and your module is so "particular= "(it > > uses C libraries that i don't understand and i don't know how to use = or > > evaluate by myself) , i'm making a little research about it before st= art > > using it. > > > > Do you have some advice about using your module in procuction machine= s? > > > > Is your module compatible with all 2.4.x kernels? > > > > I read in its README file that it cleans all your firewall rules, mak= e > some > > tests, and then it loads all the rules again. > > It it really doing this? If so, i cant install it remotely neither in= the > > business hours. > > > > regards, > > bruno > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by BEA Weblogic Workshop > > FREE Java Enterprise J2EE developer tools! > > Get your free copy of BEA WebLogic Workshop 8.1 today. > > http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick > > _______________________________________________ > > Iptperl-general mailing list > > Ipt...@li... > > https://lists.sourceforge.net/lists/listinfo/iptperl-general >=20 > -- > aXs GUARD has completed security and anti-virus checks on this e-mail > (http://www.axsguard.com) >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_idG21&alloc_id=10040&op=3Dick > _______________________________________________ > Iptperl-general mailing list > Ipt...@li... > https://lists.sourceforge.net/lists/listinfo/iptperl-general >=20 -- aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) |
From: Alex O. <Ale...@ab...> - 2004-07-26 07:43:05
|
Hi, We are using it already for a long time and on many systems and it works well (for us). Thanks to Derek for this Regards alex On Sat, 2004-07-24 at 01:34, Bruno Negr=E3o wrote: > Hi guys, >=20 > My question is exactly the one in the e-mail subject: Is > IPTables::IPv4 > Perl module trustable? >=20 > This module is a perl interface to the 'libiptc' library, written by, > Derrik Pates. I'd like to use it in an application. > But I read in netfilter's FAQ the following: >=20 > "4.5 Is there an C/C++ API for adding/removing rules? > The answer unfortunately is: No. > Now you might think 'but what about libiptc?'. As has been pointed out > numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be > used > as a public interface. We don't guarantee a stable interface, and it > is > planned to remove it in the next incarnation of linux packet > filtering. > libiptc is way too low-layer to be used reasonably anyway. > We are well aware that there is a fundamental lack for such an API, > and we > are working on improving that situation. Until then, it is recommended > to > either use system() or open a pipe into stdin of iptables-restore. The > latter will give you a way better performance." >=20 > Does someone else already tested it before? Does someone else there > knows > its internals? >=20 > Thanks, > bruno negr=E3o >=20 -- aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) |