From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: Reload IPtables
Date: Tue, 29 Jun 2021 10:37:18 +0200 [thread overview]
Message-ID: <20210629083718.GA10943@salvia> (raw)
In-Reply-To: <20210629083652.GA10896@salvia>
On Mon, Jun 28, 2021 at 10:02:41PM -0400, Neal P. Murphy wrote:
> On Mon, 28 Jun 2021 10:43:10 +0100
> Kerin Millar <kfm@plushkava.net> wrote:
>
> > Now you benefit from atomicity (the rules will either be committed at once, in full, or not at all) and proper error handling (the exit status value of iptables-restore is meaningful and acted upon). Further, should you prefer to indent the body of the heredoc, you may write <<-EOF, though only leading tab characters will be stripped out.
> >
>
> [minor digression]
>
> Is iptables-restore truly atomic in *all* cases?
Packets either see the old table or the new table, no intermediate
ruleset state is exposed to packet path.
> Some years ago, I found through experimentation that some rules were
> 'lost' when restoring more than 25 000 rules.
Could you specify kernel and userspace versions? Rules are not 'lost'
when restoring large rulesets.
> If I placed a COMMIT every 20 000 rules or so, then all rules would
> be properly loaded. I think COMMITs break atomicity.
Why are you placing COMMIT in every few rules 20 000 rules?
> I tested with 100k to 1M rules.
iptables is handling very large rulesets already.
> I was comparing the efficiency of iptables-restore with another tool
> that read from STDIN; the other tool was about 5% more efficient.
Could you please specify what other tool are you refering to?
iptables-restore is the best practise to restore your ruleset.
You should also iptables-restore to perform incremental updates via
--noflush.
next prev parent reply other threads:[~2021-06-29 8:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <08f069e3-914f-204a-dfd6-a56271ec1e55.ref@att.net>
[not found] ` <08f069e3-914f-204a-dfd6-a56271ec1e55@att.net>
[not found] ` <4ac5ff0d-4c6f-c963-f2c5-29154e0df24b@hajes.org>
[not found] ` <6430a511-9cb0-183d-ed25-553b5835fa6a@att.net>
[not found] ` <877683bf-6ea4-ca61-ba41-5347877d3216@thelounge.net>
[not found] ` <d2156e5b-2be9-c0cf-7f5b-aaf8b81769f8@att.net>
[not found] ` <f5314629-8a08-3b5f-cfad-53bf13483ec3@hajes.org>
[not found] ` <adc28927-724f-2cdb-ca6a-ff39be8de3ba@thelounge.net>
[not found] ` <96559e16-e3a6-cefd-6183-1b47f31b9345@hajes.org>
[not found] ` <16b55f10-5171-590f-f9d2-209cfaa7555d@thelounge.net>
[not found] ` <54e70d0a-0398-16e4-a79e-ec96a8203b22@tana.it>
[not found] ` <f0daea91-4d12-1605-e6df-e7f95ba18cac@thelounge.net>
[not found] ` <8395d083-022b-f6f7-b2d3-e2a83b48c48a@tana.it>
[not found] ` <20210628104310.61bd287ff147a59b12e23533@plushkava.net>
2021-06-29 2:02 ` Reload IPtables Neal P. Murphy
[not found] ` <20210629083652.GA10896@salvia>
2021-06-29 8:37 ` Pablo Neira Ayuso [this message]
2021-07-01 1:49 ` Neal P. Murphy
2021-06-29 14:52 ` slow_speed
2021-06-29 15:18 ` Reindl Harald
2021-06-29 16:50 ` slow_speed
2021-07-01 2:31 ` Neal P. Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210629083718.GA10943@salvia \
--to=pablo@netfilter.org \
--cc=neal.p.murphy@alum.wpi.edu \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).