🚀 使用syscall而不是进程调用实现ipset交互

Question

🚀 使用syscall而不是进程调用实现ipset交互

ihipop opened this issue 4 years ago · 3 comments

ihipop commented 4 years ago

🚀 使用syscall而不是进程调用实现ipset交互
go-ipset 使用了系统调用，添加大量ipset非常快而且不依赖ipset二进制文件

目前adgurad home也从包装二进制文件调用切换到系统调用了，理由就是0依赖且几十倍的速度提升

Answer 1 · 2021-05-26T09:03:56.000Z

alternative https://github.com/vishvananda/netlink/blob/master/ipset_linux.go

Answer 2 · 2021-05-26T09:07:43.000Z

Thanks for the hint.

Answer 3 · 2021-11-15T10:07:47.000Z

The communications to netfilter is by netlink, there is an test in https://github.com/vishvananda/netlink/blob/master/cmd/ipset-test/main.go for reference.

Invoke cmd do have limitations and is easy to make a mistake. For example, info.Entries, if with timeout enabled, will be 1.1.1.1 timeout 0 vs 1.1.1.1, it's inconsistent.