[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Changing rules, atomicly?
From:       Simon Edwards <simon () simonzone ! com>
Date:       2001-07-14 12:49:13
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 14 July 2001 08:13, you wrote:
> > What I would like is to be
> > able to switch to a different set of firewall rules in a fast and atomic
> > way.
> Well, if you were using libiptc directly, then that would be how tthings
> are already done - it makes a snapshot of the current table state, you
> make your changes, then the commit routine commits the changes made back
> to the kernel-side data structures all at once.

I'm not familair with libiptc, but thanks for the tip. Actually I noticed in 
another post where someone had a file made using iptables-save which used a 
COMMIT keyword. I imagine that the iptables-restore (sp?) operates in an 
atomic way... mmmm.... gives me ideas....

> Far as I know, the main limits are based on memory available, not really
> any "fixed" count. There's not really a way to "suspend" the IP stack, far
> as I know - and besides, that could be bad if it were doable. 

true,

> Maybe just
> insert a rule as rule 1 to drop everything, delete everything after rule
> 1, insert the new rules, remove the drop rule, then continue on?

yes, or just build the new ruleset elsewhere using differently named user 
chains.

> Or maybe queue the changes, then make them all in one fell swoop?

that would be nice too.

thanks,

- -- 
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands       "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjtQP8kACgkQuIuDmTrvhSZ5xQCfd/66mNm/nbixO/+rOKq0NFra
vKIAn3fc8XeQWF1qTprvpAQkRKLFR6FF
=h5gM
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]