better iptables management

Zubin Mithra zubin.mithra at gmail.com
Fri Apr 2 19:29:47 BST 2010 

Hello everyone, :-)

My name is Zubin Mithra and I am a B.Tech student; I have an idea I would
like to propose for GSoC 2010.

Currently, managing iptables is a difficult task; iptable rules are read
from a static configuration file and are applied. Many tools have been
developed which provide a front-end for iptables management making the task
slightly easier. Nevertheless, there is no tool which can find out if a
packet with certain attributes can be received or sent by a particular
machine.

What I am proposing is a library which can parse iptable rules using
appropriate data structures and figure out if a packet with certain
attributes can be sent/received from the local machine. The implementation
of this library could be done in two ways:-
1. a. Write a C-library. I could also develop Python bindings for the same.
Interested developers could take on the task of writing bindings for the the
C-library after the Summer Of Coding period. In this manner, different
applications could use the library and avail itself of such features.
    b. Also, once the Python bindings are developed, command line tools for
modifying the iptable rules, in order to allow/deny a packet with certain
attributes to be sent/received, could be easily developed.
BOON - does`nt have the BANE of method two given below. ;-)
BANE - string parsing in C will not be that easy. Also, different language
bindings need to be developed so that the library could be really useful.

2. a. A python module is developed for parsing the iptable rules which has
the appropriate data structures required.
    b. Make a service which exposes the methods made available by the Python
module. This way other applications can avail themselves of this feature
using d-bus.
BOON - String parsing is tremendously easy in Python; implementation will be
loads easier
BANE - Not many users would want a service running for a task such as
iptables management, which is not done on a regular basis.

The main benifit of the project would be:-
1. Admins would find it very useful.
2. Better user experience - Applications could use this library to tell the
user where exactly the fault behind a failing network connection could be.

I would love to have reviews and criticisms. Thank you for spending your
time reading up this idea.

Have a nice day. :-)
Zubin Mithra

http://zubin71.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-soc/attachments/20100402/db7eadd1/attachment.htm

More information about the ubuntu-soc mailing list