From mboxrd@z Thu Jan 1 00:00:00 1970 From: Victor Julien Subject: Re: Creating rules without the /sbin/iptables command? Date: Wed, 17 Mar 2004 22:53:12 +0100 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <4058C8C8.7030508@nk.nl> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Return-path: To: Netfilter Developers List In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Hi Hendrik, This might be a big improvement, but it leaves me with one possible=20 problem. When adding and removing rules on-the-fly i can't use this=20 method, right? Wouldn't it be nice if there was an c function which i could call, which=20 would do all the checking and other stuff the commandline iptables does,=20 but, because its a c-function, way faster? Would it be easy (or even=20 possible) to implement such a function? Regards, Victor Henrik Nordstrom wrote: > On Wed, 17 Mar 2004, Cedric Blancher wrote: >=20 >=20 >>Le mer 17/03/2004 =E0 19:46, Victor Julien a =E9crit : >> >>>My program (written in c) creates rules by opening a pipe to=20 >>>/sbin/iptables. However this is quite slow with large rulessets and on= =20 >>>slow hardware. Is there another way, like an iptables librarycall or=20 >>>something? >> >>You could use iptables libs that stand in /usr/lib/iptables, just like >>iptables does. >=20 >=20 > Or actually the preferred interface for this type of operations is to u= se=20 > iptables-restore, the batch version of iptables. The speed difference f= rom=20 > using iptables-restore and direct calls is pretty minimal by any means. >=20 > libiptc is an internal interface of the iptables source tree and is > subject to change at any time. This should not be used directly unless = you=20 > have very good reasons. >=20 > Regards > Henrik >=20