* CAN you give me a piece of sample code to implement this iptables command? thanks
@ 2008-05-11 14:43 cyx
2008-05-11 15:27 ` Patrick McHardy
2008-05-11 15:47 ` Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks cyx
0 siblings, 2 replies; 6+ messages in thread
From: cyx @ 2008-05-11 14:43 UTC (permalink / raw
To: netfilter-devel
HI, all:
the command is "iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE"
how to write the code using libiptc to implement this? It is hard to get enough useful information about programing with libiptc APIs, so can you give me the sample code ? thanks a lot!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CAN you give me a piece of sample code to implement this iptables command? thanks
2008-05-11 14:43 CAN you give me a piece of sample code to implement this iptables command? thanks cyx
@ 2008-05-11 15:27 ` Patrick McHardy
2008-05-11 15:47 ` Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks cyx
1 sibling, 0 replies; 6+ messages in thread
From: Patrick McHardy @ 2008-05-11 15:27 UTC (permalink / raw
To: cyx; +Cc: netfilter-devel
cyx wrote:
> HI, all:
>
> the command is "iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE"
>
> how to write the code using libiptc to implement this? It is hard to get enough useful information about programing with libiptc APIs, so can you give me the sample code ? thanks a lot!
libiptc doesn't provide a API for external programs, its purely
for iptables use. You *can* use it (at least some people do),
but we give no guarantees that it stays stable and additionally
it used to leak memory (not sure about the state today).
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks
2008-05-11 14:43 CAN you give me a piece of sample code to implement this iptables command? thanks cyx
2008-05-11 15:27 ` Patrick McHardy
@ 2008-05-11 15:47 ` cyx
2008-05-11 23:11 ` Henrik Nordstrom
2008-05-12 15:59 ` Patrick McHardy
1 sibling, 2 replies; 6+ messages in thread
From: cyx @ 2008-05-11 15:47 UTC (permalink / raw
To: Patrick McHardy; +Cc: netfilter-devel
So there is no APIs we can use to manipulate the kernel's iptables, except invoking the "iptables" command from shell? so wired, it should be have some APIs to do the same as the "iptables" does.
2008-05-11
发件人: Patrick McHardy
发送时间: 2008-05-11 23:26:42
收件人: cyx
抄送: netfilter-devel
主题: Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks
cyx wrote:
> HI, all:
>
> the command is "iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE"
>
> how to write the code using libiptc to implement this? It is hard to get enough useful information about programing with libiptc APIs, so can you give me the sample code ? thanks a lot!
libiptc doesn't provide a API for external programs, its purely
for iptables use. You *can* use it (at least some people do),
but we give no guarantees that it stays stable and additionally
it used to leak memory (not sure about the state today).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
__________ NOD32 3040 (20080419) Information __________
This message was checked by NOD32 antivirus system.
http://www.nod32cn.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks
2008-05-11 15:47 ` Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks cyx
@ 2008-05-11 23:11 ` Henrik Nordstrom
2008-05-12 15:59 ` Patrick McHardy
1 sibling, 0 replies; 6+ messages in thread
From: Henrik Nordstrom @ 2008-05-11 23:11 UTC (permalink / raw
To: cyx; +Cc: netfilter-devel
On sön, 2008-05-11 at 23:47 +0800, cyx wrote:
> So there is no APIs we can use to manipulate the kernel's iptables,
> except invoking the "iptables" command from shell? so wired, it should
> be have some APIs to do the same as the "iptables" does.
A pipe to iptables-restore -n is generally the recommended API. Gives
you the full command line of iptables in an reasonably efficient manner.
*nat
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
You may want to restart iptables-restore from time to time just in case
there is memory leaks somewhere, but other than that the pipe can stay
persistent, at least until there is an error in the submitted rules
(causes iptables-restore to exit with an error)
What is missing is an efficient way to read out rules from the kernel.
iptables-restore can only read the human intented version (-L), and
iptables-save is a little too blunt in what it dumps for many purposes..
Regards
Henrik
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks
2008-05-11 15:47 ` Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks cyx
2008-05-11 23:11 ` Henrik Nordstrom
@ 2008-05-12 15:59 ` Patrick McHardy
2008-05-12 16:47 ` Jan Engelhardt
1 sibling, 1 reply; 6+ messages in thread
From: Patrick McHardy @ 2008-05-12 15:59 UTC (permalink / raw
To: cyx; +Cc: netfilter-devel
cyx wrote:
> So there is no APIs we can use to manipulate the kernel's iptables, except invoking the "iptables" command from shell? so wired, it should be have some APIs to do the same as the "iptables" does.
Unfortunately not, at least not for C. There is a perl-API,
but I forgot its name.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks
2008-05-12 15:59 ` Patrick McHardy
@ 2008-05-12 16:47 ` Jan Engelhardt
0 siblings, 0 replies; 6+ messages in thread
From: Jan Engelhardt @ 2008-05-12 16:47 UTC (permalink / raw
To: Patrick McHardy; +Cc: cyx, netfilter-devel
On Monday 2008-05-12 17:59, Patrick McHardy wrote:
> cyx wrote:
>> So there is no APIs we can use to manipulate the kernel's iptables, except
>> invoking the "iptables" command from shell? so wired, it should be have some
>> APIs to do the same as the "iptables" does.
>
> Unfortunately not, at least not for C. There is a perl-API,
> but I forgot its name.
Why does everything need a C API? head, tail, grep, sort, are all shell
utilities without a C API yet they are used in an API-like fashion
by the user:
ls | grep foo | sort -r | tail -n 1
so I do not see anything wrong -- especially now that Henrik presented
his patches -- to do the same with iptables. And it is not really
hard to use pipe() from C.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-05-12 16:47 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-11 14:43 CAN you give me a piece of sample code to implement this iptables command? thanks cyx
2008-05-11 15:27 ` Patrick McHardy
2008-05-11 15:47 ` Re: CAN you give me a piece of sample code to implement this iptablescommand? thanks cyx
2008-05-11 23:11 ` Henrik Nordstrom
2008-05-12 15:59 ` Patrick McHardy
2008-05-12 16:47 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.