[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: drop dhcp request from a particular mac address, after a dhcp
From:       Robert Nichols <rnicholsNOSPAM () comcast ! net>
Date:       2010-03-14 21:36:52
Message-ID: hnjktk$lie$1 () dough ! gmane ! org
[Download RAW message or body]

On 03/13/2010 01:29 PM, Sven-Haegar Koch wrote:
> On Sat, 13 Mar 2010, Robert Nichols wrote:
>
>> As for iptables, if you're using a high-level firewall builder to
>> generate the rules, then yes, it will probably reload the entire rule
>> set if you make any change.  If you work at a lower level and use the
>> 'iptables' command directly, then only the rule you add or change is
>> affected.  You can confirm that quite easily by running "iptables -vnL"
>> before and after the change and observing that the packet counts for
>> the other rules do not get reset.
>
> No, this is not correct.
>
> The iptables command downloads the whole ruleset from the kernel,
> including current counter values, modifies the downloaded version, and
> then uploads the whole resulting ruleset (again, with counter
> values) into the kernel again.
>
> This "download whole ruleset, modify in userspace, upload" cycle is why
> iptables-restore is so much faster than multiple calls to the iptables
> program - it only downloads once, applies all changes from the input,
> and then uploads back to the kernel once.

Indeed!  I looked at the iptables source, and that's exactly what happens.

Learn something new every day.  Thanks for the correction.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]