Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.os.linux.development.system > #575

Re: Question using libiptc

Show key headers only | View raw

Richard Kettlewell <rjk@greenend.org.uk> writes:
> Richard Kettlewell <rjk@greenend.org.uk> writes:
>> Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
>>> Something I did in the past for an embedded system (based on a 200Mhz
>>> ARM9 CPU) after invoking iptables for each rule was found to be a
>>> performance problem: I changed that such that it read 'iptables
>>> commands' from standard input and executed them. Putting an iptables
>>> process on one end of a socketpair (could use SOCK_DGRAM so that there
>>> wouldn't be a need to parse the input) and using a simple, bidirectional
>>> protocol, eg control process sends command, iptables replies with OK or
>>> ERROR, would be an option.
>>>
>>> This would just require some (fairly simple) modifications to the driver
>>> program (iptables) and would then work with all compatible extensions
>>> without the need to duplicate the extension-specific code creating the
>>> necessary data structures for each and every extension.
>>
>> Sounds suspiciously like iptables-save?
>
> I mean iptables-restore, of course.

Not quite: restore/ save work with a specific text file format supposed to
exchange the complete packet-filter configuration and with some totally
bizarre parser implementation. Since I already had code to generate the
necessary arguments for calling iptables, all I wanted was to execute
these without starting a new process for every rule.

It is also somewhat pointless to have the control program create real
'shell command lines' including quoting and then let iptables
'unshellcommand' these instead of just sending the number of arguments
in binary, followed by the 'contents' of an argv-vector, ie, a sequence
of 0-terminated strings. For this case, the receiving process gets a
'message' including all the necessary information in one go (AF_UNIX
SOCK_DGRAM), allocates a char *[] of the required size and populates
that with a single pass through the message without the need to do any
kind of fancy syntactical analysis.

Back to comp.os.linux.development.system | Previous | Next — Previous in thread | Find similar

Thread

Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-24 13:32 -0700
  Re: Question using libiptc Richard Kettlewell <rjk@greenend.org.uk> - 2013-10-24 21:39 +0100
    Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-24 13:56 -0700
      Re: Question using libiptc Rainer Weikusat <rweikusat@mobileactivedefense.com> - 2013-10-24 22:37 +0100
        Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-24 15:19 -0700
          Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-24 15:25 -0700
          Re: Question using libiptc Rainer Weikusat <rweikusat@mobileactivedefense.com> - 2013-10-25 15:38 +0100
            Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-25 11:04 -0700
              Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-25 12:04 -0700
  Re: Question using libiptc Jorgen Grahn <grahn+nntp@snipabacken.se> - 2013-10-25 13:34 +0000
    Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-25 07:26 -0700
      Re: Question using libiptc Rainer Weikusat <rweikusat@mobileactivedefense.com> - 2013-10-25 21:20 +0100
        Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-25 14:23 -0700
        Re: Question using libiptc Richard Kettlewell <rjk@greenend.org.uk> - 2013-10-25 22:27 +0100
          Re: Question using libiptc Richard Kettlewell <rjk@greenend.org.uk> - 2013-10-25 22:29 +0100
            Re: Question using libiptc Rainer Weikusat <rweikusat@mobileactivedefense.com> - 2013-10-25 22:43 +0100

csiph-web