On 01/02/2011 11:56 AM, Dennis Jacobfeuerborn wrote: >> I switched to iptables-restore and got 2 orders of magnitude speedup >> (yes that is indeed over 100 times faster!!) - something to consider. > > I think iptables-restore uses libiptc to manipulate the rules. The problem > is that according to the netfilter FAQ libiptc isn't officially supported > but I asked about that on the mailing list. I've always wondered how to > properly manipulate iptables rules from say C/C++ (or any "not shell" Perhaps - but iptables-restore and iptables-save are what fedora use when you run service iptables save / (re)start - so I assume that is supported. The format is very straightforward, differing only in a minor way from the line by line iptables command - the idea is that there is a single user-to-kernel space rather than 1 per line. Anyway, I use simple scripting to create the file in correct format - in fact it is identical to the format you get by running service iptables-save .. for obvious reasons :-) I just skip the 1 line per rule entry followed by a service iptables save and instead - i just write it in save format and reload. This should work as long as service iptables save/start work. gene/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
