Behavior of iptables-save and iptables-restore when run concurrently

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Behavior of iptables-save and iptables-restore when run concurrently
@ 2015-08-29 19:22 Thomas Delrue
  2015-09-02 19:19 ` Akshat Kakkar
  0 siblings, 1 reply; 2+ messages in thread
From: Thomas Delrue @ 2015-08-29 19:22 UTC (permalink / raw)
  To: netfilter

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

I have a bit of a weird question about the behavior of iptables-save and
iptables-restore when run at the same time.

Let's say that I have a situation like this:
- - My rules contain chains called FOO, BAR and BAZ which each contain a
bunch of goodies.
- - I don't want to change what FOO or BAZ look like
- - But, occasionally, I want to regenerate what the BAR chain should look
like, as in: I want to completely rewrite the entire BAR chain from
scratch. This is done by a program at certain intervals.

What I'd like to do is do a popen("iptables-save", "r") and as I read
the contents from it, I was thinking of directly piping it into
iptables-restore (using popen("iptables-restore", w"))
I happily write whatever is coming from the iptables-save pipe into the
pipe for iptables-restore and as soon as I encounter the starting point
for my 'BAR' chain, instead of writing the content of the BAR chain
coming from the iptables-save pipe, I write my new (full) content for
what BAR should look like.
Then I let iptables-save continue until it sees the end of the (old) BAR
chain data after which I just happily continue to pipe what is coming
from the iptables-save pipe into the iptables-restore pipe thus
preserving what was there originally for everything except for my BAR
chain which now contains the new information.

My questions are the following:
- - Will this work? Will iptables-restore wait to apply the incoming data
until it has seen everything or will it apply it as it comes in and
influence what is coming in through my other pipe from -save?
- - At what point does the incoming data get applied? Does it occur upon
my call to pclose(iptables_restore_pipe)?

I seem to recall someone mentioning that iptables-restore was atomic, so
I would guess that it would wait with applying until it sees an EOF
(pclose?) but I wanted to double check.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJV4gZmAAoJEKosl9oIs/pOjhkP/iMe7siZnzGUi3aAtTFHdMIt
B2NowRoAiWCuaSZP5WMVBR4fvq0pILS8L5Zox0vd5BX6Q1k0VCS0ABfI0UX+A7Tk
+9KECB8yjFiu1Vv4AV2K4Jvy7ACBUGuV8ZhtH4zinNJ1KhwkhGLJ8JRuPajoC++K
Y1ODNt6/+7W5/reRdBAB3XobAa5Zso7f+MDvvkFo2a6MCxp4bnri9y9tmym6rZlB
Z3h0SxV5C+fDabV4u9TftqJSuDXiaEMTgT5DkRTRMPfLw3OL+aDSYAU6vyJ8hFXh
B6I1/4wnvmgg3los6UHFKaoDa1kp/TArgypwkIYJRCOZvn+05unvvqC27iZNHnr7
C8BqVb6W2TWKnAgwaiSP2bvWO0jV9R48pX7Glyn9cXAtYA4WSgzWugSC14+ZTk69
TVD18GKe/Dr+UDoqNFWI2+0N9jl57S1LyhLbbX35gVqMbwovyEK60vGlUWs/10G6
3qfHl9huhglpV3oNdwK9nnTNDgSTug5gHR7JiDVgfdz0cS/6TdWvAIFPPJPH5+is
gjxiUqxkialR9CsaBWYbEQ8zlaUWq0+3vvFvXKjloKDmDG3HaTM86FwGy3rOfp1k
IDsTgKIIOXkUqZRD8LWexMokbcv+qqv2Fg+3KLd3eWK7erqFfGKNcfIJTNKEei8H
eEDWTakdqzyABo1zDlEg
=bFl+
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Behavior of iptables-save and iptables-restore when run concurrently
  2015-08-29 19:22 Behavior of iptables-save and iptables-restore when run concurrently Thomas Delrue
@ 2015-09-02 19:19 ` Akshat Kakkar
  0 siblings, 0 replies; 2+ messages in thread
From: Akshat Kakkar @ 2015-09-02 19:19 UTC (permalink / raw)
  To: Thomas Delrue; +Cc: netfilter@vger.kernel.org

As far as your requirement is concerned, you can achieve that by using
iptable- restore with --noflush option and give it only BAR input in
the format generated by iptable-save

On Sun, Aug 30, 2015 at 2:22 AM, Thomas Delrue <delrue.thomas@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> I have a bit of a weird question about the behavior of iptables-save and
> iptables-restore when run at the same time.
>
> Let's say that I have a situation like this:
> - - My rules contain chains called FOO, BAR and BAZ which each contain a
> bunch of goodies.
> - - I don't want to change what FOO or BAZ look like
> - - But, occasionally, I want to regenerate what the BAR chain should look
> like, as in: I want to completely rewrite the entire BAR chain from
> scratch. This is done by a program at certain intervals.
>
> What I'd like to do is do a popen("iptables-save", "r") and as I read
> the contents from it, I was thinking of directly piping it into
> iptables-restore (using popen("iptables-restore", w"))
> I happily write whatever is coming from the iptables-save pipe into the
> pipe for iptables-restore and as soon as I encounter the starting point
> for my 'BAR' chain, instead of writing the content of the BAR chain
> coming from the iptables-save pipe, I write my new (full) content for
> what BAR should look like.
> Then I let iptables-save continue until it sees the end of the (old) BAR
> chain data after which I just happily continue to pipe what is coming
> from the iptables-save pipe into the iptables-restore pipe thus
> preserving what was there originally for everything except for my BAR
> chain which now contains the new information.
>
> My questions are the following:
> - - Will this work? Will iptables-restore wait to apply the incoming data
> until it has seen everything or will it apply it as it comes in and
> influence what is coming in through my other pipe from -save?
> - - At what point does the incoming data get applied? Does it occur upon
> my call to pclose(iptables_restore_pipe)?
>
> I seem to recall someone mentioning that iptables-restore was atomic, so
> I would guess that it would wait with applying until it sees an EOF
> (pclose?) but I wanted to double check.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCgAGBQJV4gZmAAoJEKosl9oIs/pOjhkP/iMe7siZnzGUi3aAtTFHdMIt
> B2NowRoAiWCuaSZP5WMVBR4fvq0pILS8L5Zox0vd5BX6Q1k0VCS0ABfI0UX+A7Tk
> +9KECB8yjFiu1Vv4AV2K4Jvy7ACBUGuV8ZhtH4zinNJ1KhwkhGLJ8JRuPajoC++K
> Y1ODNt6/+7W5/reRdBAB3XobAa5Zso7f+MDvvkFo2a6MCxp4bnri9y9tmym6rZlB
> Z3h0SxV5C+fDabV4u9TftqJSuDXiaEMTgT5DkRTRMPfLw3OL+aDSYAU6vyJ8hFXh
> B6I1/4wnvmgg3los6UHFKaoDa1kp/TArgypwkIYJRCOZvn+05unvvqC27iZNHnr7
> C8BqVb6W2TWKnAgwaiSP2bvWO0jV9R48pX7Glyn9cXAtYA4WSgzWugSC14+ZTk69
> TVD18GKe/Dr+UDoqNFWI2+0N9jl57S1LyhLbbX35gVqMbwovyEK60vGlUWs/10G6
> 3qfHl9huhglpV3oNdwK9nnTNDgSTug5gHR7JiDVgfdz0cS/6TdWvAIFPPJPH5+is
> gjxiUqxkialR9CsaBWYbEQ8zlaUWq0+3vvFvXKjloKDmDG3HaTM86FwGy3rOfp1k
> IDsTgKIIOXkUqZRD8LWexMokbcv+qqv2Fg+3KLd3eWK7erqFfGKNcfIJTNKEei8H
> eEDWTakdqzyABo1zDlEg
> =bFl+
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-09-02 19:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-29 19:22 Behavior of iptables-save and iptables-restore when run concurrently Thomas Delrue
2015-09-02 19:19 ` Akshat Kakkar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).