A Plumber's Wish List for Linux

Posted Oct 8, 2011 3:00 UTC (Sat) by fest3er (guest, #60379)
Parent article: A Plumber's Wish List for Linux

I would like to see a netfilter/iptables feature similar to one found in ipset: the ability to create and populate a new chain, then swap that chain with an existing chain and delete the (now old) chain. This would be a boon for firewall administration and security in that it would reduce code complexity and greatly reduce the amount of time that rules are 'missing'.

to post comments

A Plumber's Wish List for Linux

Posted Oct 8, 2011 14:07 UTC (Sat) by maxximino (subscriber, #80685) [Link] (1 responses)

It's already possibile.
Check iptables-restore: it applies the bunch of rules you give it ATOMICALLY.

A Plumber's Wish List for Linux

Posted Jul 20, 2012 18:25 UTC (Fri) by fest3er (guest, #60379) [Link]

Finally had some time to ponder this. How *many* rules can be restored atomically? In previous playing with iptables-restore, I'd found that periodic COMMITs (every 15-25k rules) were needed. Doesn't a COMMIT terminate/end the atomicity?

A Plumber's Wish List for Linux

Posted Oct 11, 2011 0:34 UTC (Tue) by nybble41 (subscriber, #55106) [Link] (1 responses)

I'm hardly an expert on iptables, but it seems that, apart from using iptables-restore, you could also use an intermediate chain as a sort of "function pointer" to switch from the old rules to the new ones with a single update:

# set up the initial rules
iptables -N real-chain-1
iptables -A real-chain-1 ...

# create the indirect chain
iptables -N replaceable-chain
iptables -A replaceable-chain -g real-chain-1

# use it
iptables ... -j replaceable-chain

# later...

# set up the new rules
iptables -N real-chain-2
iptables -A real-chain-2 ...

# switch to the new rules
iptables -R replaceable-chain 1 -g real-chain-2

# clean up
iptables -F real-chain-1
iptables -X real-chain-1

A Plumber's Wish List for Linux

Posted Jul 20, 2012 18:31 UTC (Fri) by fest3er (guest, #60379) [Link]

Yes, that's generally possible. But it requires the chain name change to be tracked externally. (OK, I have to change the rule set again. Am I, right now, using chain_0 or chain_1?)