Re: Atomic changes to IP sets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Koen Zandberg <hydrazine@bergzand.net>
To: Anna Fischer <a.fischer@sirrix.com>,
	"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: Atomic changes to IP sets
Date: Mon, 13 Apr 2015 12:31:47 +0200	[thread overview]
Message-ID: <552B9B13.2080906@bergzand.net> (raw)
In-Reply-To: <ECC8F67CE961104EB2AFE8F7FD50F5D045F21A@exchange2010.sirrix.de>

On 13/04/15 10:23, Anna Fischer wrote:
> Hi,
>
> I'm using ip sets in my iptables firwall rules. I don't just use those for firewalling, but also for packet mangling (marking). Now I'm quite frequently changing these sets and also the firewall rules. I know that I can atomically switch firewall rules by using iptables-restore. But how can I make changes to ip sets atomic? It seems to be as if packets are always passing the firewall whilst I do ipset commands. Currently I flush all ip sets, and then rebuild them. I understand this will cause problems because at times my ip sets are empty and so the firewall does not behave how I want it to behave. But what is the correct way to atomically update ip sets? I have seen that there is a command to swap an ip set. So I would build up a new set, then swap it with the old one, and then delete t
 he old one. Is that the right way of changing ip sets? The other option would be to create a whole new set of ipsets and the a new set of iptables rules with these sets, and then I use iptables-restor
>   e to atomically switch the full firewall table. This seems like quite a bit of overkill though, doesn't it? Does anyone have an idea about how to best work with ip sets without building glitches into my firewall whilst reconfiguring ip sets?
>
> Thanks for any pointers.
>
> Anna
The way I learned to do this atomically was by creating a new set and 
using "ipset swap $OLDLIST $NEWLIST" to swap your old set with your new set.

next prev parent reply	other threads:[~2015-04-13 10:31 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <ECC8F67CE961104EB2AFE8F7FD50F5D045F1E6@exchange2010.sirrix.de>
2015-04-13  8:23 ` Atomic changes to IP sets Anna Fischer
2015-04-13  9:44   ` Nikolay S.
     [not found]     ` <ECC8F67CE961104EB2AFE8F7FD50F5D045F57D@exchange2010.sirrix.de>
2015-04-14  8:29       ` AW: " Nikolay S.
2015-04-13 10:31   ` Koen Zandberg [this message]
2015-04-13 16:20     ` Neal Murphy
2015-04-13 21:16       ` Paul Robert Marino

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=552B9B13.2080906@bergzand.net \
    --to=hydrazine@bergzand.net \
    --cc=a.fischer@sirrix.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.