From: Christoph Anton Mitterer <christoph.anton.mitterer@lmu.de>
To: netfilter@vger.kernel.org
Subject: Re: ipset save and restore
Date: Wed, 19 Dec 2012 23:23:54 +0100 [thread overview]
Message-ID: <1355955834.5199.27.camel@fermat.scientia.net> (raw)
In-Reply-To: <alpine.DEB.2.00.1212192146330.23162@blackhole.kfki.hu>
[-- Attachment #1: Type: text/plain, Size: 2114 bytes --]
Hey Jozsef.
On Wed, 2012-12-19 at 22:01 +0100, Jozsef Kadlecsik wrote:
> > Of course I understand that it could not delete sets which are in use,
> > but at least it could empty them.
> Restore mode is flexible. If you want the sets to be emptied first, then
> start with the flush command (in the file).
Phew... I'd rather say it's less powerful... if someone really want's
fine grained control, he can still use the single commands.
restore is even documented in the ipset manpage to do what e.g. iptables
restore does... getting the session back... but it doesn't.
I think that should definitely be documented better.
> > Now when I use the following instead:
> > ipset flush
> > ipset destroy
> > ipset restore < file
>
> Why do you destroy the sets?
Well if you have long running systems and sets get unused one probably
want's to release their memory.
btw: "ipset destroy" fails if a single set still contains entries...
wouldn't it be better if all empty sets are destroyed and it only fails
on those which are not?
> If the sets are in use then you cannot delete
> them at all.
I understand that this might be necessary from a technical point of
view,.. but wouldn't it be simply possible to consider non-existing sets
to be empty sets?
> If you are not concerned that for a very small time the sets are empty,
> then simply start with the flush command in the restore file and that's
> all (I don't see why you'd want to destroy those).
Well I'd have expected that everybody would be concerned... when you
have some high speed network you surely will loose packets...
> If you want to avoid the time while the sets are empty, then use the
> sequence of
>
> - restore into a temporary set
> - swap the set with the temporary one
> - destroy the temporary set
Thanks... this is at least a way... but unfortunately someone that
implies some additional programming effort...
Actually the above would be what one would expect from the restore
command, I guess.
No chance that the semantics are changed here?
Cheers,
Chris.
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3811 bytes --]
next prev parent reply other threads:[~2012-12-19 22:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-19 14:53 ipset save and restore Christoph Anton Mitterer
2012-12-19 21:01 ` Jozsef Kadlecsik
2012-12-19 22:23 ` Christoph Anton Mitterer [this message]
2012-12-19 23:24 ` Jozsef Kadlecsik
2012-12-20 0:23 ` Christoph Anton Mitterer
2012-12-20 12:00 ` Jozsef Kadlecsik
2012-12-20 16:12 ` Christoph Anton Mitterer
2012-12-20 19:12 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1355955834.5199.27.camel@fermat.scientia.net \
--to=christoph.anton.mitterer@lmu.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox