Re: Behavior of iptables-save and iptables-restore when run concurrently

[Akshat Kakkar <akshat.1984@gmail.com>]

As far as your requirement is concerned, you can achieve that by using
iptable- restore with --noflush option and give it only BAR input in
the format generated by iptable-save

On Sun, Aug 30, 2015 at 2:22 AM, Thomas Delrue <delrue.thomas@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> I have a bit of a weird question about the behavior of iptables-save and
> iptables-restore when run at the same time.
>
> Let's say that I have a situation like this:
> - - My rules contain chains called FOO, BAR and BAZ which each contain a
> bunch of goodies.
> - - I don't want to change what FOO or BAZ look like
> - - But, occasionally, I want to regenerate what the BAR chain should look
> like, as in: I want to completely rewrite the entire BAR chain from
> scratch. This is done by a program at certain intervals.
>
> What I'd like to do is do a popen("iptables-save", "r") and as I read
> the contents from it, I was thinking of directly piping it into
> iptables-restore (using popen("iptables-restore", w"))
> I happily write whatever is coming from the iptables-save pipe into the
> pipe for iptables-restore and as soon as I encounter the starting point
> for my 'BAR' chain, instead of writing the content of the BAR chain
> coming from the iptables-save pipe, I write my new (full) content for
> what BAR should look like.
> Then I let iptables-save continue until it sees the end of the (old) BAR
> chain data after which I just happily continue to pipe what is coming
> from the iptables-save pipe into the iptables-restore pipe thus
> preserving what was there originally for everything except for my BAR
> chain which now contains the new information.
>
> My questions are the following:
> - - Will this work? Will iptables-restore wait to apply the incoming data
> until it has seen everything or will it apply it as it comes in and
> influence what is coming in through my other pipe from -save?
> - - At what point does the incoming data get applied? Does it occur upon
> my call to pclose(iptables_restore_pipe)?
>
> I seem to recall someone mentioning that iptables-restore was atomic, so
> I would guess that it would wait with applying until it sees an EOF
> (pclose?) but I wanted to double check.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCgAGBQJV4gZmAAoJEKosl9oIs/pOjhkP/iMe7siZnzGUi3aAtTFHdMIt
> B2NowRoAiWCuaSZP5WMVBR4fvq0pILS8L5Zox0vd5BX6Q1k0VCS0ABfI0UX+A7Tk
> +9KECB8yjFiu1Vv4AV2K4Jvy7ACBUGuV8ZhtH4zinNJ1KhwkhGLJ8JRuPajoC++K
> Y1ODNt6/+7W5/reRdBAB3XobAa5Zso7f+MDvvkFo2a6MCxp4bnri9y9tmym6rZlB
> Z3h0SxV5C+fDabV4u9TftqJSuDXiaEMTgT5DkRTRMPfLw3OL+aDSYAU6vyJ8hFXh
> B6I1/4wnvmgg3los6UHFKaoDa1kp/TArgypwkIYJRCOZvn+05unvvqC27iZNHnr7
> C8BqVb6W2TWKnAgwaiSP2bvWO0jV9R48pX7Glyn9cXAtYA4WSgzWugSC14+ZTk69
> TVD18GKe/Dr+UDoqNFWI2+0N9jl57S1LyhLbbX35gVqMbwovyEK60vGlUWs/10G6
> 3qfHl9huhglpV3oNdwK9nnTNDgSTug5gHR7JiDVgfdz0cS/6TdWvAIFPPJPH5+is
> gjxiUqxkialR9CsaBWYbEQ8zlaUWq0+3vvFvXKjloKDmDG3HaTM86FwGy3rOfp1k
> IDsTgKIIOXkUqZRD8LWexMokbcv+qqv2Fg+3KLd3eWK7erqFfGKNcfIJTNKEei8H
> eEDWTakdqzyABo1zDlEg
> =bFl+
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html