iptables的替代品？

Question

I'm developing an application in which i rely heavily on iptables for routing traffic. I'm setting the tables just by calling iptables as an external process from my application.

I would like to know if there is a way to directly talk to the kernel modules (Netfilter) on which iptables relies and avoid the overhead of running a new process just for that?

Recommendations for other routing solutions are welcome.

Answer 1

I don't see any problem with netfilter. You are able to bind your callback on any netfilter hooks and kernel will invoke your callback on hook event. You are doing this via nf_register_hook . You can even track connections with conntrack

Example for this is here .

More info about hacking netfilter on official documentation

Answer 2

If my understanding is correct, you are asking for a programatic interface for the configuration of iptables. Unfortunately iptables (libiptc) doesn't give an API interface for configuring or querying them, its way too low in the stack.

One alternative I can suggest is kernel IP sets. ipset is actually an extension to iptables that allows to create rules that match entire set of addresses at once. IPtables are traversed linearly where as ip set are stored in indexed data structures. This makes it very efficient.

https://packages.debian.org/sid/net/ipset

This may not be a direct answer to your question but hope it helps.