When used as a module, does it still require iptables in PATH?

[pepa65]

I have used go-iptables as a module (in github.com/pepa65/fail2drop), but I just encountered this message: exec: "iptables": executable file not found in $PATH'. When usinggo-iptables, does it still require the/usr/sbin/iptables-nft` binary from Netfilter to be present??

[dandare100]

Hello.

Yes, it does require the iptables binary to be on the path. It uses that binary to manipulate the tables because the in kernel net filter does not have a good user space API.

Regards

[pepa65]

I understand now how it works, this module is a wrapper around the iptables interface to netfilter. The iptables syntax is well understood and widely used. I agree that the kernel api is pretty horrible, and the nftables command that the netfilter people say is the only interface they support is not much better (even if it has more features than the iptables interface).

But I do not think this is true: "Netfilter developers heavily advocate using iptables utlity for programmatic manipulation." I have found that the netfilter people are only willing to take the usage of nftables into account when debugging the api.

[dandare100]

Ok cool.