Is there a way we can query iptables programmatically without making use of shell script? I don't have liberty of using shell script to run iptables command and grep output. Is there a native (API) level access to iptables using GNU C? At the bare minimum I would like to query default policy of iptables.
I was hoping to use /proc file system but I don't think its implemented yet.
You can interface with the iptables library called libiptc.
That's how I have created my Perl interface to iptables: CPAN IPTables::libiptc
But the libiptc library only gives you an API to the basic chain structures.
Accessing and parsing the individual rules is a bit more complicated, as it depends on dyn-loading the shared libs of the individual target/match modules.
My approach in my CPAN module is that I have linked with do_command() from iptables.c, for doing rule changes.
Another thing you need to know is:
That a single iptables call, perform these actions:
libiptcThus, a heavy process, if you only make a single change each time. But you can also use this to your advantage, and perform many changes at once, and have these appear as a single atomic change, by/for the kernel.
iptables-restore uses the smart approach of doing many changes before submitting the changes to the kernel.So it looks like there isn't any way and it's been acknowledged by Netfilter group.
See SO question, How can I programmatically manage iptables rules on the fly?
As I said in a comment, by ltrace-ing iptables -L, I fould that there is an iptables-dev package on my Debian/Sid with libipq and related libraries. You probably might want to use it.
I would use the proc-fileystem under /proc/net/ Have a look at http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.9 and look for proc (in different questions)
Hm why shouln't he look into the sources of iptables to get an idea? I can not see why one would use strace to figure it out if the sources just contains the needed code.
strace-ing orltrace-ing the command you want, e.g.strace iptables -L