This repository contains a .NET 10 solution for working with Linux iptables from C#. The managed code lives under IPTables.Net/, the xUnit tests live under IPTables.Net.Tests/, and the native helper library used by the libiptc-based adapter lives under ipthelper/.
- Use
./build.shfor a full solution build. - Use
./test.shto build and run tests. - Use
./test.sh --fastfor the managed-heavy test pass that setsSKIP_SYSTEM_TESTS=1. - Use
./test.sh --fullon Linux when root or passwordlesssudois available to run the stable native and system iptables tests. - Use
./test.sh --full --iptables-backend legacy|nft|currentto choose the iptables backend explicitly. Full mode defaults tolegacy. - Set
RUN_UNSTABLE_SYSTEM_TESTS=1with./test.sh --fullto include tests markedNotWorkingOnTravis, including the conntrack coverage that can crash on some containerized hosts.
Both scripts will bootstrap a usable .NET SDK if dotnet is missing. By default they infer the needed SDK channel from the highest TargetFramework declared in the repo's .csproj files. On Linux they also build libipthelper and install missing native build dependencies through a supported package manager when needed.
ipthelper/buildslibipthelper.so, which is required forIPTablesLibAdapter,IptcInterface, and the conntrack/native tests.- The helper links against the system iptables development libraries,
libnl3, andlibpcap. - The scripts first try a normal helper build and then retry with
-DOLD_IPTABLESif the local iptables headers are older. test.sh --fulldefaults to theiptables-legacy/ip6tables-legacyalternatives because that matches the native test expectations more closely.- Pass
--iptables-backend currentif you need to keep the host's existing backend, or--iptables-backend nftto exercise the nft variants explicitly.
- Fast mode is the safest default when you only need parser, model, or mocked adapter coverage.
- Full mode touches the real machine state. The system tests create and mutate chains like
test,test2, andtest3, and the opt-in conntrack tests hit kernel networking APIs directly. - If full mode fails because the host lacks privileges, kernel modules, or compatible iptables backends, rerun with
./test.sh --fastunless you are specifically changing native or system behavior.
- Keep changes narrow and add or update xUnit coverage in
IPTables.Net.Tests/when behavior changes. - Prefer following the existing project layout instead of introducing new abstractions unless the current design is clearly blocking the work.
- When changing native interop behavior, verify both the managed call sites in
IPTables.Net/Iptables/NativeLibrary/and the corresponding code inipthelper/. - The tests project is also the best source of usage examples for the public API.