libiptc2 woes

After quite some time, a posting on the netfilter-devel list reminded me of my unfinished work on libiptc2. The problem with old libiptc is, that it has a n^2 complexity when adding rules to an in-memory ruleset. This slows down the time for iptables-restore with large rulesets.

Old libiptc has a so-called chain cache that contains pointers to the start of each chain within the ruleset blob. This chain cache has to die, and libiptc2 needs a totally separate representation of the ruleset. Every rule as a malloc()ed chunk of memory, put into a linked list (which builds a chain, which are in turn linked lists). Only at the iptc_commit() stage this libiptc-internal representation is compiled into the ruleset blob.

Let's hope Andre Uratsuka Manoel will find the time to continue this work, since I really don't even know to start with my ever-growing TODO list :(