IpTables ROPE: Linux Proc File System Integration
File System Structure
The /proc file system on linux represents modifiable or readable parts of the kernel as a simple file system. Refer to this article for some background reading on what /proc is all about.
When the ipt_rope module is installed in memory by the iptables utility, the following directories are created in the /proc file system.
(early releases called this directory "flags").
This directory contains files that hold integer values. These values are accessable to Rope script code via the greg action, and can be read or changed using "user" land processes. This logic allows the choices made by Rope script rules to be modified by user processes without the need for changing the netfilter tables.
THIS IS WORK IN PROGRESS AS OF VERSION 20041201 AND IS CURRENTLY HIGHLY INCOMPLETE AND BUGGY - MY ADVICE: PLAY BUT DONT USE YET.
This is where compiled rope scripts are (or rather: will be) stored in order for them to be accessable to IpTables rules. The following should be noted about this folder.
- It is not a fully function file system, and so has some rules and limitations associated with it.
- Files can be created here with names that contain only letters, digits and under-bar characters.
- Files cannot be overwritten or deleted if they are in use by an iptables rule. The rule must be removed from iptables first.
- Files cannot be renamed.
- Sub-directories cannot be created.
- There is a hard limit on the number and size of files that can be placed here.
- Only correctly formatted, compiled rope scripts can be placed here.
- Bad file names, file sizes, file contents etc result in an IO error being reported by the utility used to create the file (like "cp"), and a more meaningful message is written to syslog.