Re: [PLUG] Behavior of iptables-save and iptables-restore when run concu

Victor on 29 Aug 2015 15:59:42 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently

From: Victor <plug@osquat.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
Date: Sat, 29 Aug 2015 18:59:32 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osquat.com; s=googleDKIM; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=EhQQd4pKkGKa71g08uyBlgUgIuEophqezcQvgCUF6a4=; b=eZ0Hzat8+AwrrR6EZYQANKuVqgvy8Ywt1AfnkGjrwsLuSoNw3BJSDd35vyJGbS5VhO oQsvNGy6QzRlSMUiLK/ka/u80oc2ihw9PT/QuGna13LgD2h5KvxJnjat4rZV2DAJpLLy r/R+Jy9asdaNWS/SKthMNMmllyTMHKhrpsLy4=
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

I am not so familiar with the inner workings of iptables-save/restore,
but I would agree that iptables-restore is probably atomic.

I wanted to ask if you were drastically altering the chain, and if the
iptables --delete, --insert, and --replace options could be used for a
simpler solution? Unless BAR contains dozens of unique rules per
rewrite, iptables-save/restore may not offer much benefit.

On Sat, Aug 29, 2015 at 3:59 PM, Thomas Delrue <delrue.thomas@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
>
> Hello,
>
> I have a bit of a weird question about the behavior of iptables-save and
> iptables-restore when run at the same time.
>
> Let's say that I have a situation like this:
> - - My rules contain chains called FOO, BAR and BAZ which each contain a
> bunch of goodies.
> - - I don't want to change what FOO or BAZ look like
> - - But, occasionally, I want to regenerate what the BAR chain should look
> like, as in: I want to completely rewrite the entire BAR chain from
> scratch. This is done by a program at certain intervals.
>
> What I'd like to do is do a popen("iptables-save", "r") and as I read
> the contents from it, I was thinking of directly piping it into
> iptables-restore (using popen("iptables-restore", w"))
> I happily write whatever is coming from the iptables-save pipe into the
> pipe for iptables-restore and as soon as I encounter the starting point
> for my 'BAR' chain, instead of writing the content of the BAR chain
> coming from the iptables-save pipe, I write my new (full) content for
> what BAR should look like.
> Then I let iptables-save continue until it sees the end of the (old) BAR
> chain data after which I just happily continue to pipe what is coming
> from the iptables-save pipe into the iptables-restore pipe thus
> preserving what was there originally for everything except for my BAR
> chain which now contains the new information.
>
> My questions are the following:
> - - Will this work? Will iptables-restore wait to apply the incoming data
> until it has seen everything or will it apply it as it comes in and
> influence what is coming in through my other pipe from -save?
> - - At what point does the incoming data get applied? Does it occur upon
> my call to pclose(iptables_restore_pipe)?
>
> I seem to recall someone mentioning that iptables-restore was atomic, so
> I would guess that it would wait with applying until it sees an EOF
> (pclose()?) or OCMMIT but I wanted to double check.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCgAGBQJV4g8bAAoJEKosl9oIs/pOnKQQAJef4TH+UiXITrpANLO9txkZ
> T5e6CzYWfCOPgqUhg3DLwXSswXUnLBTr/niRILUVhiI6M9q3dW7vhPhTIFQmRvmB
> x0mfpzVfI1j7eYsgjpugMavh1F8UbcH9CICk7Q6IP8boJ4DQvVrJ/TKUgr/y/Fdz
> VrfLynOpFGkNH+q0PVG5qhOgY3hAyp1gPEUl92AGHqcpbSBgHu4oI0rOuXKnIDfb
> C7ODFc7TJhmfD97upw1goU43QyoEELXaeU2SRzuVmeIgFoPLJtMve6ZuGNgwBCGs
> KxIAqwhIgs9hPpvSN+IbsJBQhPJIcow3DqIhHFIN+kNGJS9+iLFwSfqjSvh5KYuI
> 3LVOYKIo2U2ziFhcdxQ5HhalgmS7iEroamB434FaICehKxyCSwsmriyccGTnl2QU
> S25SD3F6b5usmvVf7miM+mS6jWPRHxg/fh4yOuEIwq7IBhTiL8GrUOG4sOFOuV5F
> pd4w5QxEwxFXUL92Qr7mLJwDUJE/5VIBsTlmOhaAYRDrHLk8Yd5ov47BFNFVbibi
> fGpRvTgbbHGvYcFJpM4uQUUsY3Wvtggbc0e+1wpNLfC9/8AvQ03Twl+932/W9iO1
> +fMOcADXT8X6H7g/6aaOu7mzK+n9AMt8iJjlY/psXaOkdRc9hUA7w9i2xRlAqeEB
> pWjyZk/x7+GLFGgJ+PM1
> =reRW
> -----END PGP SIGNATURE-----
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
  - From: Thomas Delrue <delrue.thomas@gmail.com>

References:
- [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
  - From: Thomas Delrue <delrue.thomas@gmail.com>

Prev by Date: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
Next by Date: Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
Previous by thread: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
Next by thread: Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
Index(es):
- Date
- Thread