[Wifidog] piping to iptables-restore -n

David Vincelli micologist at gmail.com
Tue Aug 24 10:39:25 EDT 2004 

Hi everyone, 

I was thinking it would be a good idea to open a pipe to the (poorly
documented) iptables-restore command to improve performance. Instead
of many many forks we can have just one open pipe.

Read this entire thread for more information

http://marc.theaimsgroup.com/?l=netfilter&m=107954945301154&w=2

There are a few issues to be aware of:

It is dependant on libiptc which (according to the netfilter dev team)
has small memory leaks in it. So it would be unwise to just open the
pipe and keep it open forever. I think periodically closing and
re-opening the pipe be a decent workaround, with minimum impact on
performance. Otherwise, we can open and close the pipe on relevant
chunk of code.

libiptc is too complicated (and according to devs, subject to change)
to use directly.

apparently the iptables lib is easier to use but doesn't offer much
gains over iptables-restore -n (-n means non-blocking) which will
process rule changes in batches (one chain at a time).

Tell me what you think. I can get started on the changes, what needs
to be done now is too find out how to port every command we have so
far.

<quote>

Syntax for iptables-restore input is

*tablename
start working on rules in table "tablename". Equivalent to the -t option 
to iptables.

:chainname policy
specifies the default policy for chain "chainname". Equivalent to the 
iptables -P command. Probably also works just fine to use the -P command 
but I have not tried.

COMMIT
Uploads the current table (specified by *tablename) to the kernel.

#....
Input lines starting with # are assumed to be comments and are ignored

Any other lines are assumed to be iptables commands per the iptables 
syntax specification.

iptables commands may be prefixed by [packetcnt:bytecnt] which gets
automatically translated into --set-counters packetcnt bytecnt before the
command is executed within iptables-restore. The two syntaxes are
equivalent.

</quote>

from http://marc.theaimsgroup.com/?l=netfilter-devel&m=107956725816103&w=2

What do you think?

-- 
the micologist

-------------- next part --------------
_______________________________________________
Wifidog mailing list
Wifidog at isf.waglo.com
http://isf.waglo.com/mailman/listinfo/wifidog_isf.waglo.com

More information about the Wifidog mailing list