iptables libiptc:如何删除规则

时间:2018-11-15 12:08:09

标签: c++ c iptables netfilter

我的filter表的INPUT链有一条规则:

$ sudo iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             dns.quad9.net        tcp dpt:5000 /* A test rule */

为什么这段代码不删除该规则?

extern "C" {
#include <libiptc/libiptc.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/xt_comment.h>
}
#include <iostream>
#include <cstring>
using namespace std;

int main() {
  auto h = iptc_init("filter");
  if (h == 0) {
    std::cout << "iptc_init failed\n";
    return 0;
  }
  for(auto chain = iptc_first_chain(h); chain; chain = iptc_next_chain(h)) {
    if (strcmp(chain, "INPUT")) {
      continue;
    }
    std::cout << "Chain: " << chain << "\n";
    for(auto rule = iptc_first_rule("INPUT", h); rule; rule = iptc_next_rule(rule, h)) {
      size_t size = rule->next_offset;
      uint8_t *mask = new uint8_t[size];
      memset(mask, 0xff, size);
      iptc_delete_entry(chain, rule, mask, h);
    }
  }
}

$ g++ -fpermissive iptctest.cc -o  iptctest -liptc -lip4tc
$ sudo ./iptctest
Chain: INPUT
$ sudo iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             dns.quad9.net        tcp dpt:5000 /* A test rule */

iptc_delete_entry的调用返回0(失败),且errno设置为2ENOENT-这样的规则不存在)。

0 个答案:

没有答案
相关问题
最新问题