Bug 993428 - [RFE] Replace iptables system calls with a Python library: python-iptables.
[RFE] Replace iptables system calls with a Python library: python-iptables.
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-08-05 18:34 EDT by DaveG
Modified: 2013-08-23 08:33 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-23 08:33:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description DaveG 2013-08-05 18:34:16 EDT
Description of suggestion:

firewalld currently uses system calls (fork/spawn) to interact with the kernel netfilter tables. The Python code maintains a cache of what it expects the kernel tables to be and so does iptables(-multi).

A Python library exists that uses the iptc C library to directly interface to the kernel data. This is the same C library that iptables itself uses to do the job.

Before the Python code "matures" it might be worth while exploring the use of this Python library to eliminate the additional caching and, possibly, run firewalld without requiring the iptables binaries, just the -libs.

I stumbled across the project while looking to do something similar some time ago but the IPv6 capability was not available then. IPv6 is now integrated and the project refactored. Python (ctypes, in-process) classes for tables, chains, rules, matches and targets, all cached (weak-ref) with auto-commit options.

Link: http://ldx.github.com/python-iptables/

Thanks for your efforts in this complex area and I hope this can be of help in future developments.

Comment 1 Jiri Popelka 2013-08-15 11:42:01 EDT
Sounds nice to me at first glance, however ... and now I'll cite from [1]:
" The recommended solution given by iptables developers is to spawn the iptables command with execl() or system(). It’s explicitly stated that there’s no stable/public API to do that [2] "
Given that python-iptables is just a libiptc/libxtables bindings, the situation is similar.
We've been also planning a re-write to C for a long time so I'm not sure we want to experiment with another library meanwhile.

[1] http://www.bani.com.br/lang/en/2012/05/programmatically-managing-iptables-rules-in-c-iptc/
[2] http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5
Comment 2 DaveG 2013-08-15 18:12:35 EDT
Thanks for the prompt reply. Just thought I'd float the idea. Happy to close the issue.

Good luck with the C rewrite!

Comment 3 Jiri Popelka 2013-08-23 08:33:46 EDT
Thanks for the suggestion, but I'm sure we won't go this way so closing right now.

Note You need to log in before you can comment on or make changes to this bug.