path: root/include/libiptc/libip6tc.h
diff options
authorStefan Tomanek <>2011-03-08 22:42:51 +0100
committerJan Engelhardt <>2011-03-08 23:12:05 +0100
commitd59b9db031abee37a9aa9776662dd15370faabf4 (patch)
tree47481f2b5f1afbc122f494beca1375de661c1160 /include/libiptc/libip6tc.h
parent9cc4f24e72f87ca191c2e723e7cd293f6477481c (diff)
iptables: add -C to check for existing rules
It is often useful to check whether a specific rule is already present in a chain without actually modifying the iptables config. Services like fail2ban usually employ techniques like grepping through the output of "iptables -L" which is quite error prone. This patch adds a new operation -C to the iptables command which mostly works like -D; it can detect and indicate the existence of the specified rule by modifying the exit code. The new operation TC_CHECK_ENTRY uses the same code as the -D operation, whose functions got a dry-run parameter appended. Signed-off-by: Stefan Tomanek <> Signed-off-by: Jan Engelhardt <>
Diffstat (limited to 'include/libiptc/libip6tc.h')
1 files changed, 6 insertions, 0 deletions
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index 33ec69d2..9796574f 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -80,6 +80,12 @@ int ip6tc_append_entry(const ip6t_chainlabel chain,
const struct ip6t_entry *e,
struct ip6tc_handle *handle);
+/* Check whether a matching rule exists */
+int ip6tc_check_entry(const ip6t_chainlabel chain,
+ const struct ip6t_entry *origfw,
+ unsigned char *matchmask,
+ struct ip6tc_handle *handle);
/* Delete the first rule in `chain' which matches `fw'. */
int ip6tc_delete_entry(const ip6t_chainlabel chain,
const struct ip6t_entry *origfw,