You can interact with the iptables library named libiptc .
How I created my Perl interface for iptables : CPAN IPTables :: libiptc
But the libiptc library gives you an API for the main chains. Accessing and analyzing individual rules is somewhat more complicated, as it depends on dyn-loading shared libraries of individual target / match modules.
My approach in my CPAN module is that I contacted do_command() with iptables.c to change the rules.
Another thing you need to know is :
To make a single iptables call, follow these steps:
- Copy the entire rule set from the kernel to user space
- Separate it with
libiptc - Make one or more changes (usually one change through iptables cmd)
- Convert it to kernel blob format, by libiptc
- Copy the entire (new) set of rules from user space to the kernel.
Thus, a difficult process if you make only one change each time. But you can also take advantage of this and make several changes at once, and they appear as one atomic change, / for the kernel.