[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: Changing rules, atomicly?
From: Simon Edwards <simon () simonzone ! com>
Date: 2001-07-14 12:49:13
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 14 July 2001 08:13, you wrote:
> > What I would like is to be
> > able to switch to a different set of firewall rules in a fast and atomic
> > way.
> Well, if you were using libiptc directly, then that would be how tthings
> are already done - it makes a snapshot of the current table state, you
> make your changes, then the commit routine commits the changes made back
> to the kernel-side data structures all at once.
I'm not familair with libiptc, but thanks for the tip. Actually I noticed in
another post where someone had a file made using iptables-save which used a
COMMIT keyword. I imagine that the iptables-restore (sp?) operates in an
atomic way... mmmm.... gives me ideas....
> Far as I know, the main limits are based on memory available, not really
> any "fixed" count. There's not really a way to "suspend" the IP stack, far
> as I know - and besides, that could be bad if it were doable.
true,
> Maybe just
> insert a rule as rule 1 to drop everything, delete everything after rule
> 1, insert the new rules, remove the drop rule, then continue on?
yes, or just build the new ruleset elsewhere using differently named user
chains.
> Or maybe queue the changes, then make them all in one fell swoop?
that would be nice too.
thanks,
- --
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjtQP8kACgkQuIuDmTrvhSZ5xQCfd/66mNm/nbixO/+rOKq0NFra
vKIAn3fc8XeQWF1qTprvpAQkRKLFR6FF
=h5gM
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic