[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: drop dhcp request from a particular mac address, after a dhcp
From: Robert Nichols <rnicholsNOSPAM () comcast ! net>
Date: 2010-03-14 21:36:52
Message-ID: hnjktk$lie$1 () dough ! gmane ! org
[Download RAW message or body]
On 03/13/2010 01:29 PM, Sven-Haegar Koch wrote:
> On Sat, 13 Mar 2010, Robert Nichols wrote:
>
>> As for iptables, if you're using a high-level firewall builder to
>> generate the rules, then yes, it will probably reload the entire rule
>> set if you make any change. If you work at a lower level and use the
>> 'iptables' command directly, then only the rule you add or change is
>> affected. You can confirm that quite easily by running "iptables -vnL"
>> before and after the change and observing that the packet counts for
>> the other rules do not get reset.
>
> No, this is not correct.
>
> The iptables command downloads the whole ruleset from the kernel,
> including current counter values, modifies the downloaded version, and
> then uploads the whole resulting ruleset (again, with counter
> values) into the kernel again.
>
> This "download whole ruleset, modify in userspace, upload" cycle is why
> iptables-restore is so much faster than multiple calls to the iptables
> program - it only downloads once, applies all changes from the input,
> and then uploads back to the kernel once.
Indeed! I looked at the iptables source, and that's exactly what happens.
Learn something new every day. Thanks for the correction.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic