Groups | Search | Server Info | Keyboard shortcuts | Login | Register
Groups > comp.os.linux.development.system > #571
| From | Rainer Weikusat <rweikusat@mobileactivedefense.com> |
|---|---|
| Newsgroups | comp.os.linux.development.system |
| Subject | Re: Question using libiptc |
| Date | 2013-10-25 21:20 +0100 |
| Message-ID | <87eh79xfto.fsf@sable.mobileactivedefense.com> (permalink) |
| References | <1c6b1c19-53c5-4659-97d9-47daaded9532@googlegroups.com> <slrnl6ksrm.2m9.grahn+nntp@frailea.sa.invalid> <46a627d0-7402-45e1-bf38-254410d6ecb1@googlegroups.com> |
Jeremy Brown <bjeremy32@gmail.com> writes: > On Friday, October 25, 2013 8:34:47 AM UTC-5, Jorgen Grahn wrote: >> On Thu, 2013-10-24, Jeremy Brown wrote: >> > I have a little c program that will use the libiptc api that will >> > dynamically add rules to iptables. To try and circumvent responses >> > asking me why I want to do this instead of using system(), the reason >> > is I wish to dynamically update the iptables from an external program >> > and the entries will only be known at runtime. I also wish to have >> > feedback as to the success or failure of these aditions/deletions. >> >> I'm not really asking you why, but I note that your requirements don't >> exclude using iptables(8) ... For example, I assume it has a useful >> exit code like any sensible Unix utility. > > In this case the number of rule updates can be frequent and > performance does matter. Something I did in the past for an embedded system (based on a 200Mhz ARM9 CPU) after invoking iptables for each rule was found to be a performance problem: I changed that such that it read 'iptables commands' from standard input and executed them. Putting an iptables process on one end of a socketpair (could use SOCK_DGRAM so that there wouldn't be a need to parse the input) and using a simple, bidirectional protocol, eg control process sends command, iptables replies with OK or ERROR, would be an option. This would just require some (fairly simple) modifications to the driver program (iptables) and would then work with all compatible extensions without the need to duplicate the extension-specific code creating the necessary data structures for each and every extension.
Back to comp.os.linux.development.system | Previous | Next — Previous in thread | Next in thread | Find similar
Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-24 13:32 -0700
Re: Question using libiptc Richard Kettlewell <rjk@greenend.org.uk> - 2013-10-24 21:39 +0100
Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-24 13:56 -0700
Re: Question using libiptc Rainer Weikusat <rweikusat@mobileactivedefense.com> - 2013-10-24 22:37 +0100
Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-24 15:19 -0700
Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-24 15:25 -0700
Re: Question using libiptc Rainer Weikusat <rweikusat@mobileactivedefense.com> - 2013-10-25 15:38 +0100
Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-25 11:04 -0700
Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-25 12:04 -0700
Re: Question using libiptc Jorgen Grahn <grahn+nntp@snipabacken.se> - 2013-10-25 13:34 +0000
Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-25 07:26 -0700
Re: Question using libiptc Rainer Weikusat <rweikusat@mobileactivedefense.com> - 2013-10-25 21:20 +0100
Re: Question using libiptc Jeremy Brown <bjeremy32@gmail.com> - 2013-10-25 14:23 -0700
Re: Question using libiptc Richard Kettlewell <rjk@greenend.org.uk> - 2013-10-25 22:27 +0100
Re: Question using libiptc Richard Kettlewell <rjk@greenend.org.uk> - 2013-10-25 22:29 +0100
Re: Question using libiptc Rainer Weikusat <rweikusat@mobileactivedefense.com> - 2013-10-25 22:43 +0100
csiph-web