From d59b9db031abee37a9aa9776662dd15370faabf4 Mon Sep 17 00:00:00 2001 From: Stefan Tomanek Date: Tue, 8 Mar 2011 22:42:51 +0100 Subject: iptables: add -C to check for existing rules It is often useful to check whether a specific rule is already present in a chain without actually modifying the iptables config. Services like fail2ban usually employ techniques like grepping through the output of "iptables -L" which is quite error prone. This patch adds a new operation -C to the iptables command which mostly works like -D; it can detect and indicate the existence of the specified rule by modifying the exit code. The new operation TC_CHECK_ENTRY uses the same code as the -D operation, whose functions got a dry-run parameter appended. Signed-off-by: Stefan Tomanek Signed-off-by: Jan Engelhardt --- include/libiptc/libiptc.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'include/libiptc/libiptc.h') diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h index 5d782dab..4355ac92 100644 --- a/include/libiptc/libiptc.h +++ b/include/libiptc/libiptc.h @@ -88,6 +88,12 @@ int iptc_append_entry(const ipt_chainlabel chain, const struct ipt_entry *e, struct iptc_handle *handle); +/* Check whether a mathching rule exists */ +int iptc_check_entry(const ipt_chainlabel chain, + const struct ipt_entry *origfw, + unsigned char *matchmask, + struct iptc_handle *handle); + /* Delete the first rule in `chain' which matches `e', subject to matchmask (array of length == origfw) */ int iptc_delete_entry(const ipt_chainlabel chain, -- cgit v1.2.3