| |||||||||||||
A Plumber's Wish List for LinuxA Plumber's Wish List for LinuxPosted Oct 8, 2011 3:00 UTC (Sat) by fest3er (guest, #60379)Parent article: A Plumber's Wish List for Linux
I would like to see a netfilter/iptables feature similar to one found in ipset: the ability to create and populate a new chain, then swap that chain with an existing chain and delete the (now old) chain. This would be a boon for firewall administration and security in that it would reduce code complexity and greatly reduce the amount of time that rules are 'missing'.
(Log in to post comments)
A Plumber's Wish List for Linux Posted Oct 8, 2011 14:07 UTC (Sat) by maxximino (guest, #80685) [Link]
It's already possibile.
Check iptables-restore: it applies the bunch of rules you give it ATOMICALLY.
A Plumber's Wish List for Linux Posted Jul 20, 2012 18:25 UTC (Fri) by fest3er (guest, #60379) [Link]
Finally had some time to ponder this. How *many* rules can be restored atomically? In previous playing with iptables-restore, I'd found that periodic COMMITs (every 15-25k rules) were needed. Doesn't a COMMIT terminate/end the atomicity?
A Plumber's Wish List for Linux Posted Oct 11, 2011 0:34 UTC (Tue) by nybble41 (subscriber, #55106) [Link]
I'm hardly an expert on iptables, but it seems that, apart from using iptables-restore, you could also use an intermediate chain as a sort of "function pointer" to switch from the old rules to the new ones with a single update:
# set up the initial rules
# create the indirect chain
# use it
# later...
# set up the new rules
# switch to the new rules
# clean up
A Plumber's Wish List for Linux Posted Jul 20, 2012 18:31 UTC (Fri) by fest3er (guest, #60379) [Link]
Yes, that's generally possible. But it requires the chain name change to be tracked externally. (OK, I have to change the rule set again. Am I, right now, using chain_0 or chain_1?)
|
|||||||||||||