diff options
author | Stefan Tomanek <stefan.tomanek@wertarbyte.de> | 2011-03-08 22:42:51 +0100 |
---|---|---|
committer | Jan Engelhardt <jengelh@medozas.de> | 2011-03-08 23:12:05 +0100 |
commit | d59b9db031abee37a9aa9776662dd15370faabf4 (patch) | |
tree | 47481f2b5f1afbc122f494beca1375de661c1160 /include/libiptc | |
parent | 9cc4f24e72f87ca191c2e723e7cd293f6477481c (diff) |
iptables: add -C to check for existing rules
It is often useful to check whether a specific rule is already present
in a chain without actually modifying the iptables config.
Services like fail2ban usually employ techniques like grepping through
the output of "iptables -L" which is quite error prone.
This patch adds a new operation -C to the iptables command which
mostly works like -D; it can detect and indicate the existence of the
specified rule by modifying the exit code. The new operation
TC_CHECK_ENTRY uses the same code as the -D operation, whose functions
got a dry-run parameter appended.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'include/libiptc')
-rw-r--r-- | include/libiptc/libip6tc.h | 6 | ||||
-rw-r--r-- | include/libiptc/libiptc.h | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h index 33ec69d2..9796574f 100644 --- a/include/libiptc/libip6tc.h +++ b/include/libiptc/libip6tc.h @@ -80,6 +80,12 @@ int ip6tc_append_entry(const ip6t_chainlabel chain, const struct ip6t_entry *e, struct ip6tc_handle *handle); +/* Check whether a matching rule exists */ +int ip6tc_check_entry(const ip6t_chainlabel chain, + const struct ip6t_entry *origfw, + unsigned char *matchmask, + struct ip6tc_handle *handle); + /* Delete the first rule in `chain' which matches `fw'. */ int ip6tc_delete_entry(const ip6t_chainlabel chain, const struct ip6t_entry *origfw, diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h index 5d782dab..4355ac92 100644 --- a/include/libiptc/libiptc.h +++ b/include/libiptc/libiptc.h @@ -88,6 +88,12 @@ int iptc_append_entry(const ipt_chainlabel chain, const struct ipt_entry *e, struct iptc_handle *handle); +/* Check whether a mathching rule exists */ +int iptc_check_entry(const ipt_chainlabel chain, + const struct ipt_entry *origfw, + unsigned char *matchmask, + struct iptc_handle *handle); + /* Delete the first rule in `chain' which matches `e', subject to matchmask (array of length == origfw) */ int iptc_delete_entry(const ipt_chainlabel chain, |