IPSET: programmatically implementing ip6tables snat rule including ipset matching

IPSET: programmatically implementing ip6tables snat rule including ipset matching

[Khawar]

It is a newbie question, so I would highly appreciate your time.

You can also view my question here 
http://unix.stackexchange.com/questions/311373/how-to-programmatically-implement-ip6tables-rule-including-ipset

I want to implement following using C programming

     "ip6tables -t nat -j postrouting -d 
<ipv6-address-in-destination-field> -m set --match-set xyz -j snat 
--to-source <ipv6-address>"

What should I take into account?
I have already installed the ipset userspace and kernel modules. I can 
easily use ipset specific socket options etc which mean my compilation 
and installation is somewhat ok.

Thanks

Re: IPSET: programmatically implementing ip6tables snat rule including ipset matching

[Jozsef Kadlecsik]

On Wed, 21 Sep 2016, Khawar wrote:

> I want to implement following using C programming
> 
>     "ip6tables -t nat -j postrouting -d <ipv6-address-in-destination-field> -m
> set --match-set xyz -j snat --to-source <ipv6-address>"

I assumne by "implement following using C programming" you mean to call 
exec() from your code. If not, the stop in your project and rethink: 
libiptables from the iptables package was never meant to be used by third 
party projects, check out nftables.

> What should I take into account?

There's nothing fancy there:

- create the sets before you refer them in i[6]ptables rules
- use proper syntax (the flag parameter is missing from the set match)

> I have already installed the ipset userspace and kernel modules. I can 
> easily use ipset specific socket options etc which mean my compilation 
> and installation is somewhat ok.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary