Is there a way we can query iptables programmatically without making use of shell script? I don't have liberty of using shell script to run iptables command and grep output. Is there a native (API) level access to iptables using GNU C? At the bare minimum I would like to query default policy of iptables.
I was hoping to use /proc file system but I don't think its implemented yet.
You can interface with the iptables library called libiptc.
That's how I have created my Perl interface to iptables: CPAN IPTables::libiptc
But the libiptc library only gives you an API to the basic chain structures.
Accessing and parsing the individual rules is a bit more complicated, as it depends on dyn-loading the shared libs of the individual target/match modules.
My approach in my CPAN module is that I have linked with do_command() from iptables.c, for doing rule changes.
Another thing you need to know is:
That a single iptables call, perform these actions:
libiptcThus, a heavy process, if you only make a single change each time. But you can also use this to your advantage, and perform many changes at once, and have these appear as a single atomic change, by/for the kernel.
So it looks like there isn't any way and it's been acknowledged by Netfilter group.
See SO question, How can I programmatically manage iptables rules on the fly?
As I said in a comment, by ltrace-ing iptables -L, I fould that there is an iptables-dev package on my Debian/Sid with libipq and related libraries. You probably might want to use it.
I would use the proc-fileystem under /proc/net/ Have a look at http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.9 and look for proc (in different questions)
Hm why shouln't he look into the sources of iptables to get an idea? I can not see why one would use strace to figure it out if the sources just contains the needed code.
