iptperl-general

[Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[<vpo...@en...>]

Hi guys,

My question is exactly the one in the e-mail subject: Is IPTables::IPv4
Perl module trustable?

This module is a perl interface to the 'libiptc' library, written by,
Derrik Pates. I'd like to use it in an application.
But I read in netfilter's FAQ the following:

"4.5 Is there an C/C++ API for adding/removing rules?
The answer unfortunately is: No.
Now you might think 'but what about libiptc?'. As has been pointed out
numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be =
used
as a public interface. We don't guarantee a stable interface, and it is
planned to remove it in the next incarnation of linux packet filtering.
libiptc is way too low-layer to be used reasonably anyway.
We are well aware that there is a fundamental lack for such an API, and =
we
are working on improving that situation. Until then, it is recommended =
to
either use system() or open a pipe into stdin of iptables-restore. The
latter will give you a way better performance."

Does someone else already tested it before? Does someone else there =
knows
its internals?

Thanks,
bruno negr=E3o

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[Derrik P. <dp...@ds...>]

Bruno Negrão wrote:
> My question is exactly the one in the e-mail subject: Is IPTables::IPv4
> Perl module trustable?
> 
> This module is a perl interface to the 'libiptc' library, written by,
> Derrik Pates. I'd like to use it in an application.
> But I read in netfilter's FAQ the following:
> 
> "4.5 Is there an C/C++ API for adding/removing rules?
> The answer unfortunately is: No.
> Now you might think 'but what about libiptc?'. As has been pointed out
> numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used
> as a public interface. We don't guarantee a stable interface, and it is
> planned to remove it in the next incarnation of linux packet filtering.
> libiptc is way too low-layer to be used reasonably anyway.
> We are well aware that there is a fundamental lack for such an API, and we
> are working on improving that situation. Until then, it is recommended to
> either use system() or open a pipe into stdin of iptables-restore. The
> latter will give you a way better performance."

The ways they suggest will work, but not very well, and they're really 
quite ugly. Yes, a whole new userspace tool for managing netfilter rules 
will eventually be written - but that's still a ways off, and until the 
kernel side interface changes, the libiptc code which I'm using from the 
iptables codebase will continue to work just fine, thank you.

> Does someone else already tested it before? Does someone else there knows
> its internals?

I don't really know what you're saying here. But really, you can test it 
any way you need to, or have whoever you want test it for you - the 
source is there for your (or anybody's) perusal. It incorporates a fair 
amount of code on top of libiptc so that you don't have to know the raw 
data structures, and generally makes things a good bit nicer than 
calling libiptc directly, and way cleaner than assembling command lines 
and using system() to call out to iptables (I've tried that before, long 
ago, and it caused me great pain. Or maybe that was just lunch one 
day... I forget now.)

-- 
Derrik Pates
dp...@ds...

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[<vpo...@en...>]

Hi Derrik and everybody,

I'm asking this because i liked your module and i'd like to use it to make
some programs to manage a big firewall i have in production here.
Since this is an important machine, and your module is so "particular"(it
uses C libraries that i don't understand and i don't know how to use or
evaluate by myself) , i'm making a little research about it before start
using it.

Do you have some advice about using your module in procuction machines?

Is your module compatible with all 2.4.x kernels?

I read in its README file that it cleans all your firewall rules, make some
tests, and then it loads all the rules again.
It it really doing this? If so, i cant install it remotely neither in the
business hours.

regards,
bruno

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[Derrik P. <dp...@ds...>]

Bruno Negrão wrote:
> I'm asking this because i liked your module and i'd like to use it to make
> some programs to manage a big firewall i have in production here.
> Since this is an important machine, and your module is so "particular"(it
> uses C libraries that i don't understand and i don't know how to use or
> evaluate by myself) , i'm making a little research about it before start
> using it.

Understood. libiptc is a pretty complex piece of code. I don't know that 
my wrapper approaches its level of complexity, but it's all complicated.

> Do you have some advice about using your module in procuction machines?

You'd have to ask the people who are using it in production systems.

> Is your module compatible with all 2.4.x kernels?

To my knowledge. I personally am running 2.6.7 on my main daily-use 
systems (my office workstation and my PowerBook), but if a recent 
version of iptables works on the kernel, IPTables::IPv4 will as well.

> I read in its README file that it cleans all your firewall rules, make some
> tests, and then it loads all the rules again.
> It it really doing this? If so, i cant install it remotely neither in the
> business hours.

I'd suggest downloading the tarball and running 'perl Makefile.PL ; make 
; make install' then, instead of installing it using the CPAN shell. 
It's the 'make test' part that does that.

--
Derrik Pates
dp...@ds...

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[Alex O. <Ale...@ab...>]

We used it sucessfully on 2.4.19, 2.4.20, 2.4.22 and 2.4.24
alex
On Mon, 2004-07-26 at 20:04, Bruno Negr=E3o wrote:
> Hi Derrik and everybody,
>=20
> I'm asking this because i liked your module and i'd like to use it to m=
ake
> some programs to manage a big firewall i have in production here.
> Since this is an important machine, and your module is so "particular"(=
it
> uses C libraries that i don't understand and i don't know how to use or
> evaluate by myself) , i'm making a little research about it before star=
t
> using it.
>=20
> Do you have some advice about using your module in procuction machines?
>=20
> Is your module compatible with all 2.4.x kernels?
>=20
> I read in its README file that it cleans all your firewall rules, make =
some
> tests, and then it loads all the rules again.
> It it really doing this? If so, i cant install it remotely neither in t=
he
> business hours.
>=20
> regards,
> bruno
>=20
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick
> _______________________________________________
> Iptperl-general mailing list
> Ipt...@li...
> https://lists.sourceforge.net/lists/listinfo/iptperl-general

--
aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[<vpo...@en...>]

Thanks Alex. And what kind of linux is yours? (mine is redhat)

bruno.


We used it sucessfully on 2.4.19, 2.4.20, 2.4.22 and 2.4.24
alex
On Mon, 2004-07-26 at 20:04, Bruno Negrão wrote:
> Hi Derrik and everybody,
>
> I'm asking this because i liked your module and i'd like to use it to
make
> some programs to manage a big firewall i have in production here.
> Since this is an important machine, and your module is so "particular"(it
> uses C libraries that i don't understand and i don't know how to use or
> evaluate by myself) , i'm making a little research about it before start
> using it.
>
> Do you have some advice about using your module in procuction machines?
>
> Is your module compatible with all 2.4.x kernels?
>
> I read in its README file that it cleans all your firewall rules, make
some
> tests, and then it loads all the rules again.
> It it really doing this? If so, i cant install it remotely neither in the
> business hours.
>
> regards,
> bruno
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Iptperl-general mailing list
> Ipt...@li...
> https://lists.sourceforge.net/lists/listinfo/iptperl-general

--
aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=ick
_______________________________________________
Iptperl-general mailing list
Ipt...@li...
https://lists.sourceforge.net/lists/listinfo/iptperl-general

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[Alex O. <Ale...@ab...>]

Bruno,
We have an own-build distribution, made from scratch.
We productize a Complete All-in-one solution
(http://www.axsguard.com)
(Router/Firewall/VPN/Content Scanning/E-mail/... much more)
Regards
alex

On Tue, 2004-07-27 at 14:45, Bruno Negr=E3o wrote:
> Thanks Alex. And what kind of linux is yours? (mine is redhat)
>=20
> bruno.
>=20
>=20
> We used it sucessfully on 2.4.19, 2.4.20, 2.4.22 and 2.4.24
> alex
> On Mon, 2004-07-26 at 20:04, Bruno Negr=E3o wrote:
> > Hi Derrik and everybody,
> >
> > I'm asking this because i liked your module and i'd like to use it to
> make
> > some programs to manage a big firewall i have in production here.
> > Since this is an important machine, and your module is so "particular=
"(it
> > uses C libraries that i don't understand and i don't know how to use =
or
> > evaluate by myself) , i'm making a little research about it before st=
art
> > using it.
> >
> > Do you have some advice about using your module in procuction machine=
s?
> >
> > Is your module compatible with all 2.4.x kernels?
> >
> > I read in its README file that it cleans all your firewall rules, mak=
e
> some
> > tests, and then it loads all the rules again.
> > It it really doing this? If so, i cant install it remotely neither in=
 the
> > business hours.
> >
> > regards,
> > bruno
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by BEA Weblogic Workshop
> > FREE Java Enterprise J2EE developer tools!
> > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick
> > _______________________________________________
> > Iptperl-general mailing list
> > Ipt...@li...
> > https://lists.sourceforge.net/lists/listinfo/iptperl-general
>=20
> --
> aXs GUARD has completed security and anti-virus checks on this e-mail
> (http://www.axsguard.com)
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idG21&alloc_id=10040&op=3Dick
> _______________________________________________
> Iptperl-general mailing list
> Ipt...@li...
> https://lists.sourceforge.net/lists/listinfo/iptperl-general
>=20

--
aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)

Re: [Iptperl-general] Is IPTables::IPv4 Perl module trustable?

[Alex O. <Ale...@ab...>]

Hi,

We are using it already for a long time and on many
systems and it works well (for us).

Thanks to Derek for this

Regards
alex

On Sat, 2004-07-24 at 01:34, Bruno Negr=E3o wrote:
> Hi guys,
>=20
> My question is exactly the one in the e-mail subject: Is
> IPTables::IPv4
> Perl module trustable?
>=20
> This module is a perl interface to the 'libiptc' library, written by,
> Derrik Pates. I'd like to use it in an application.
> But I read in netfilter's FAQ the following:
>=20
> "4.5 Is there an C/C++ API for adding/removing rules?
> The answer unfortunately is: No.
> Now you might think 'but what about libiptc?'. As has been pointed out
> numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be
> used
> as a public interface. We don't guarantee a stable interface, and it
> is
> planned to remove it in the next incarnation of linux packet
> filtering.
> libiptc is way too low-layer to be used reasonably anyway.
> We are well aware that there is a fundamental lack for such an API,
> and we
> are working on improving that situation. Until then, it is recommended
> to
> either use system() or open a pipe into stdin of iptables-restore. The
> latter will give you a way better performance."
>=20
> Does someone else already tested it before? Does someone else there
> knows
> its internals?
>=20
> Thanks,
> bruno negr=E3o
>=20

--
aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)