From: Victor Julien <victor@nk.nl>
To: Netfilter Developers List <netfilter-devel@lists.netfilter.org>
Subject: Re: Creating rules without the /sbin/iptables command?
Date: Thu, 18 Mar 2004 13:49:08 +0100 [thread overview]
Message-ID: <40599AC4.6030504@nk.nl> (raw)
In-Reply-To: <Pine.LNX.4.44.0403180900100.25678-100000@filer.marasystems.com>
Henrik Nordstrom wrote:
> On Thu, 18 Mar 2004, Victor Julien wrote:
>
>
>>Okay, lets see if I understand what you mean. Say i have an initial
>>ruleset which looks like this, loaded with 'iptables-restore':
>>
>>*filter
>>:FORWARD DROP
>>-A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
>>-A FORWARD -p tcp -s 192.168.0.2 --dport 80 -j ACCEPT
>>-A FORWARD -p tcp -s 192.168.0.3 --dport 80 -j ACCEPT
>>COMMIT
>>
>>and sometime later i want to replace 192.168.0.2 by 192.168.0.4 (in
>>exacty the same place):
>>
>>*filter
>>:FORWARD DROP
>>-D FORWARD -p tcp -s 192.168.0.2 --dport 80 -j ACCEPT
>>-I FORWARD 2 -p tcp -s 192.168.0.4 --dport 80 -j ACCEPT
>>COMMIT
>
>
> Or you could
>
> *filer
> -R FORWARD 2 -p tcp -s 192.168.0.4 --dport 80 -j ACCEPT
> COMMIT
>
>>and then 'iptables-restore -n', right?
>
>
> Right. Or you could even have iptables-restore -n running on a pipe
> already.. (but beware of memoryleaks in libiptc)
>
Okay, i think i'll rather open the pipe on demand.
>>But the easiest way is to recreate the initial ruleset with the updated
>>rules would be:
>>
>>*filter
>>:FORWARD DROP
>>-A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
>>-A FORWARD -p tcp -s 192.168.0.4 --dport 80 -j ACCEPT
>>-A FORWARD -p tcp -s 192.168.0.3 --dport 80 -j ACCEPT
>>COMMIT
>
>
> Depends on your application, but yes I find this easier most times.
Good! But if i have a rule for accounting, how does it work then? If you
consider this (useless) example:
*filter
:FORWARD DROP
# account the traffic for 192.168.0.1
-A FORWARD -p tcp -s 192.168.0.1
-A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
-A FORWARD -p tcp -s 192.168.0.2 --dport 80 -j ACCEPT
COMMIT
if i now want to reload the rule set to
*filter
:FORWARD DROP
# account the traffic for 192.168.0.1
-A FORWARD -p tcp -s 192.168.0.1
-A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
-A FORWARD -p tcp -s 192.168.0.12 --dport 80 -j ACCEPT
COMMIT
using 'iptables-restore' (without noflush) is there a way to preserve
the accounting data from the first rule? Is this what the -c option of
iptables-restore is for?
>>The last method should still be way faster than my current method, i
>>guess. Is this right?
>
> iptables-restore is quicker than iptables as soon as you have more than
> one modification to the table. On single-rule operations it is identical
> to iptables.
>
> if you use a pipe to a already running iptables-restore then it isfaster
> than iptables even on single rule operations.
>
> In addition iptables-restore allows you to atomically replace the complete
> ruleset without race windows. This can not be done with iptables and with
> iptables packets will be forwarded while the new ruleset is only
> partiailly installed...
>
Sounds like what i'm looking for...
Regards,
Victor
next prev parent reply other threads:[~2004-03-18 12:49 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-17 18:46 Creating rules without the /sbin/iptables command? Victor Julien
2004-03-17 19:25 ` Cedric Blancher
2004-03-17 20:59 ` Victor Julien
2004-03-18 8:56 ` Cedric Blancher
2004-03-17 21:34 ` Henrik Nordstrom
2004-03-17 21:34 ` Henrik Nordstrom
2004-03-17 21:53 ` Victor Julien
2004-03-17 23:08 ` John A. Sullivan III
2004-03-17 23:45 ` Henrik Nordstrom
2004-03-17 23:59 ` John A. Sullivan III
2004-03-18 1:15 ` Henrik Nordstrom
2004-03-18 1:30 ` John A. Sullivan III
2004-03-18 1:34 ` Scott MacKay
2004-03-18 8:17 ` Henrik Nordstrom
2004-03-18 7:25 ` Victor Julien
2004-03-18 8:07 ` Henrik Nordstrom
2004-03-18 12:49 ` Victor Julien [this message]
2004-03-18 23:45 ` Henrik Nordstrom
2004-03-19 19:01 ` Victor Julien
2004-03-19 22:03 ` Henrik Nordstrom
2004-03-19 22:16 ` Victor Julien
2004-03-19 22:41 ` Henrik Nordstrom
2004-03-19 22:56 ` Victor Julien
2004-03-20 1:52 ` Henrik Nordstrom
2004-03-18 11:29 ` John A. Sullivan III
2004-03-18 12:52 ` Victor Julien
2004-03-18 14:12 ` John A. Sullivan III
2004-03-23 16:23 ` Adding packet metadata Scott MacKay
2004-03-24 0:06 ` Henrik Nordstrom
2004-03-24 7:38 ` Mike-Ro-Chanel
2004-03-24 8:01 ` Henrik Nordstrom
2004-03-24 8:18 ` Mike-Ro-Chanel
2004-03-24 11:52 ` Scott MacKay
2004-03-24 15:05 ` Henrik Nordstrom
2004-03-17 23:04 ` Creating rules without the /sbin/iptables command? John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40599AC4.6030504@nk.nl \
--to=victor@nk.nl \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.