On Wed, 22 Jul 2015 02:08:48 +0200 (CEST) Sven-Haegar Koch <haegar@xxxxxxxxx> wrote: > On Tue, 21 Jul 2015, Neal P. Murphy wrote: > > > On Tue, 21 Jul 2015 17:41:26 -0400 > > Thomas Delrue <thomas.delrue@xxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > Is there a way to interact with the firewall rules from a C(++) program? > > > What I'm really trying to do is have a program that only allows a > > > certain set of CIDRs through the firewall through a particular port. > > > However these CIDRs change from time to time and so my application is > > > there to update the firewall rules to make sure that the firewall rules > > > contain the latest and greatest information that says: "drop everything > > > trying to connect to port P EXCEPT for stuff originating from these CIDRs". > > > > It seems in your case that you don't need high performance or high > > efficiency, so you should be able to use system() to run > > iptables-restore. > > And in this special case of "set of CIDRs" it even more sounds like a > job for ipset - setup a static iptables ruleset using iptables-restore, > and if you need performance modify the list of network ranges in a > hash-table using libipset. Agreed, if the set of CIDRs is large enough. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
