On sön, 2008-05-11 at 23:47 +0800, cyx wrote: > So there is no APIs we can use to manipulate the kernel's iptables, > except invoking the "iptables" command from shell? so wired, it should > be have some APIs to do the same as the "iptables" does. A pipe to iptables-restore -n is generally the recommended API. Gives you the full command line of iptables in an reasonably efficient manner. *nat -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT You may want to restart iptables-restore from time to time just in case there is memory leaks somewhere, but other than that the pipe can stay persistent, at least until there is an error in the submitted rules (causes iptables-restore to exit with an error) What is missing is an efficient way to read out rules from the kernel. iptables-restore can only read the human intented version (-L), and iptables-save is a little too blunt in what it dumps for many purposes.. Regards Henrik -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
