Hi folx, a while back I looked at how the helpers which use Linux-specific binaries (iptables) can be made more portable. Using pf(1) for ifdef(BSD) would've been a solution, but not necessarily one I would've liked because as far as I understand pf it would've required manual intervention by sys admins. In recent years (enough time passed to assume this is now widely enough supported) Linux switched to BPF (or rather eBPF) for in-kernel firewalls and other applications (I spare you the writeup, there are enough summaries on BPF and eBPF out there). While looking at the cross-system specific approach for this, I found libpcap. I still don't fully understand if it's usable enough to replace our use of execv'ing ip(1) + ifconfig(1) + iptables(1), I'm still reading and trying more trivial examples. Only caveat so far, we'd need to exclude Irix as it doesn't support libpcap. Other than that, libpcap supports a wide range of systems (and is included in the base of some), read more in the README of https://github.com/the-tcpdump-group/libpcap.
I hope someone on this list / of us has worked with libpcap before and knows if this could be used to achieve what we today handle with external binaries.
