Thomas Delrue on 29 Aug 2015 12:59:31 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[PLUG] Behavior of iptables-save and iptables-restore when run concurrently |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, I have a bit of a weird question about the behavior of iptables-save and iptables-restore when run at the same time. Let's say that I have a situation like this: - - My rules contain chains called FOO, BAR and BAZ which each contain a bunch of goodies. - - I don't want to change what FOO or BAZ look like - - But, occasionally, I want to regenerate what the BAR chain should look like, as in: I want to completely rewrite the entire BAR chain from scratch. This is done by a program at certain intervals. What I'd like to do is do a popen("iptables-save", "r") and as I read the contents from it, I was thinking of directly piping it into iptables-restore (using popen("iptables-restore", w")) I happily write whatever is coming from the iptables-save pipe into the pipe for iptables-restore and as soon as I encounter the starting point for my 'BAR' chain, instead of writing the content of the BAR chain coming from the iptables-save pipe, I write my new (full) content for what BAR should look like. Then I let iptables-save continue until it sees the end of the (old) BAR chain data after which I just happily continue to pipe what is coming from the iptables-save pipe into the iptables-restore pipe thus preserving what was there originally for everything except for my BAR chain which now contains the new information. My questions are the following: - - Will this work? Will iptables-restore wait to apply the incoming data until it has seen everything or will it apply it as it comes in and influence what is coming in through my other pipe from -save? - - At what point does the incoming data get applied? Does it occur upon my call to pclose(iptables_restore_pipe)? I seem to recall someone mentioning that iptables-restore was atomic, so I would guess that it would wait with applying until it sees an EOF (pclose()?) or OCMMIT but I wanted to double check. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJV4g8bAAoJEKosl9oIs/pOnKQQAJef4TH+UiXITrpANLO9txkZ T5e6CzYWfCOPgqUhg3DLwXSswXUnLBTr/niRILUVhiI6M9q3dW7vhPhTIFQmRvmB x0mfpzVfI1j7eYsgjpugMavh1F8UbcH9CICk7Q6IP8boJ4DQvVrJ/TKUgr/y/Fdz VrfLynOpFGkNH+q0PVG5qhOgY3hAyp1gPEUl92AGHqcpbSBgHu4oI0rOuXKnIDfb C7ODFc7TJhmfD97upw1goU43QyoEELXaeU2SRzuVmeIgFoPLJtMve6ZuGNgwBCGs KxIAqwhIgs9hPpvSN+IbsJBQhPJIcow3DqIhHFIN+kNGJS9+iLFwSfqjSvh5KYuI 3LVOYKIo2U2ziFhcdxQ5HhalgmS7iEroamB434FaICehKxyCSwsmriyccGTnl2QU S25SD3F6b5usmvVf7miM+mS6jWPRHxg/fh4yOuEIwq7IBhTiL8GrUOG4sOFOuV5F pd4w5QxEwxFXUL92Qr7mLJwDUJE/5VIBsTlmOhaAYRDrHLk8Yd5ov47BFNFVbibi fGpRvTgbbHGvYcFJpM4uQUUsY3Wvtggbc0e+1wpNLfC9/8AvQ03Twl+932/W9iO1 +fMOcADXT8X6H7g/6aaOu7mzK+n9AMt8iJjlY/psXaOkdRc9hUA7w9i2xRlAqeEB pWjyZk/x7+GLFGgJ+PM1 =reRW -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug