* How to programatically atomically write one CHAIN (not table)
@ 2011-05-05 12:14 Alex Bligh
2011-05-05 14:08 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Alex Bligh @ 2011-05-05 12:14 UTC (permalink / raw)
To: netfilter; +Cc: Alex Bligh
What is the best way to programatically atomic add/replace an
entire chain. Assume the table has lots and lots of chains.
Calling "iptables" itself is non-atomic.
I could build an entire replacement chain with a different name
(through repeated calling of iptables -A), then change the
jump statement that calls it. But that seems horribly
inefficient.
Opening a pipe to iptables-restore with "-n" passed
is an option provided I prefix the chains concerned
with "-F <chainname>" (I can't pass the whole thing
and avoid -n as the chain might have (say) 10 rules,
but there might be 100 chains, so this will
be grossly inefficient). However, looking at the
source, it appears merely to call do_command to
parse each line, and I can't see how this can be
atomic. Also, I'd like to avoid the fork().
The FAQ seems to suggest calling any form of library API
is bad.
Any ideas?
--
Alex Bligh
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to programatically atomically write one CHAIN (not table)
2011-05-05 12:14 How to programatically atomically write one CHAIN (not table) Alex Bligh
@ 2011-05-05 14:08 ` Jan Engelhardt
2011-05-05 15:17 ` Alex Bligh
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2011-05-05 14:08 UTC (permalink / raw)
To: Alex Bligh; +Cc: netfilter
On Thursday 2011-05-05 14:14, Alex Bligh wrote:
> What is the best way to programatically atomic add/replace an
> entire chain. Assume the table has lots and lots of chains.
Because table-replace is an atomic operation, so are all smaller
operations based upon it.
> Calling "iptables" itself is non-atomic.
iptables does issue a table-replace, so it is atomic. -- Within the one
rule you wanted to add.
If you want to change multiple rules in one go, don't use iptables, use
iptables-restore.
> Opening a pipe to iptables-restore with "-n" passed
> is an option provided I prefix the chains concerned
> with "-F <chainname>" (I can't pass the whole thing
> and avoid -n as the chain might have (say) 10 rules,
> but there might be 100 chains, so this will
> be grossly inefficient). However, looking at the
> source, it appears merely to call do_command to
> parse each line, and I can't see how this can be
> atomic.
do_command alone does not commit the result.
restore is right in what it does.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to programatically atomically write one CHAIN (not table)
2011-05-05 14:08 ` Jan Engelhardt
@ 2011-05-05 15:17 ` Alex Bligh
0 siblings, 0 replies; 3+ messages in thread
From: Alex Bligh @ 2011-05-05 15:17 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter, Alex Bligh
--On 5 May 2011 16:08:53 +0200 Jan Engelhardt <jengelh@medozas.de> wrote:
> do_command alone does not commit the result.
> restore is right in what it does.
Ah OK - have reread the source and now understand. So a pipe to
iptables-restore with "-n" on the command line, and "-F" inside
the chain to replace is the right way to go?
--
Alex Bligh
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-05-05 15:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-05 12:14 How to programatically atomically write one CHAIN (not table) Alex Bligh
2011-05-05 14:08 ` Jan Engelhardt
2011-05-05 15:17 ` Alex Bligh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).