Re: [PLUG] Behavior of iptables-save and iptables-restore when run concu

Thomas Delrue on 29 Aug 2015 17:35:13 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently

From: Thomas Delrue <delrue.thomas@gmail.com>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
Date: Sat, 29 Aug 2015 20:35:06 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=q7hXfXt8ma1bvor14T+NfT2vtaTG5zzqyqKvyRZK9Po=; b=tk+HHNVKXu3LRRbELZotnk48T5ZLaYAwnOtqEw/Q2SlBkJpvyCqI+qDnL6QvQoi4DJ gpM6iUDEXiGNh6i1GMR0UnMhenR/6t6tdsxBt7YwMGe2B03lxmjQMASxefENfnnLqf04 yxTLskEXtQKHgQhiMxdVZKE99VOejHjnXOl1Hd7rhvWVnDysiZ6yvpC5BcN6b96jJgSB vR+xi3UAFCFfXvoy5H0OtcCqrdRY16YaDlXOCyDmDcYEXCdkPU6q4/F+VNSuvs7BAES6 sqAVJcIphsqdxcj0bRcwSaWpJMFWCtvYFuVRNRNGjPVfG2g5gR0rHB5IfJECtYqSjmCK dnbA==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0

I though about that and sadly BAR does indeed contain dozens of unique
rules on each rewrite. --delete/insert/replace is just too much of a
hassle because I'd have to write code that figures out which index to
delete or at which index to insert.
Doing it bulk-wise using iptables-restore (change the entire
[chain]world) let's me ignore that part of the problem.

On 08/29/2015 06:59 PM, Victor wrote:
> I am not so familiar with the inner workings of
> iptables-save/restore, but I would agree that iptables-restore is
> probably atomic.
> 
> I wanted to ask if you were drastically altering the chain, and if
> the iptables --delete, --insert, and --replace options could be used
> for a simpler solution? Unless BAR contains dozens of unique rules
> per rewrite, iptables-save/restore may not offer much benefit.
> 
> On Sat, Aug 29, 2015 at 3:59 PM, Thomas Delrue
> <delrue.thomas@gmail.com> wrote:
> 
> 
> Hello,
> 
> I have a bit of a weird question about the behavior of iptables-save
> and iptables-restore when run at the same time.
> 
> Let's say that I have a situation like this: - My rules contain
> chains called FOO, BAR and BAZ which each contain a bunch of
> goodies. - I don't want to change what FOO or BAZ look like - But,
> occasionally, I want to regenerate what the BAR chain should look 
> like, as in: I want to completely rewrite the entire BAR chain from 
> scratch. This is done by a program at certain intervals.
> 
> What I'd like to do is do a popen("iptables-save", "r") and as I
> read the contents from it, I was thinking of directly piping it into 
> iptables-restore (using popen("iptables-restore", w")) I happily
> write whatever is coming from the iptables-save pipe into the pipe
> for iptables-restore and as soon as I encounter the starting point 
> for my 'BAR' chain, instead of writing the content of the BAR chain 
> coming from the iptables-save pipe, I write my new (full) content
> for what BAR should look like. Then I let iptables-save continue
> until it sees the end of the (old) BAR chain data after which I just
> happily continue to pipe what is coming from the iptables-save pipe
> into the iptables-restore pipe thus preserving what was there
> originally for everything except for my BAR chain which now contains
> the new information.
> 
> My questions are the following: - Will this work? Will
> iptables-restore wait to apply the incoming data until it has seen
> everything or will it apply it as it comes in and influence what is
> coming in through my other pipe from -save? - At what point does the
> incoming data get applied? Does it occur upon my call to
> pclose(iptables_restore_pipe)?
> 
> I seem to recall someone mentioning that iptables-restore was atomic,
> so I would guess that it would wait with applying until it sees an
> EOF (pclose()?) or OCMMIT but I wanted to double check.
> 
>> ___________________________________________________________________________
>>
>> 
Philadelphia Linux Users Group         --        http://www.phillylinux.org
>> Announcements -
>> http://lists.phillylinux.org/mailman/listinfo/plug-announce General
>> Discussion  --
>> http://lists.phillylinux.org/mailman/listinfo/plug
> ___________________________________________________________________________
>
> 
Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce General
> Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
  - From: Thomas Delrue <delrue.thomas@gmail.com>
- Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
  - From: Victor <plug@osquat.com>

Prev by Date: Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
Next by Date: Re: [PLUG] How to Design a Great Web Site
Previous by thread: Re: [PLUG] Behavior of iptables-save and iptables-restore when run concurrently
Next by thread: [PLUG] [plug-announce] Wed, Sep 2, 2015: PLUG Central - "Debian: The Community and the Package Management System" by Guo Yixuan (7pm at USP)
Index(es):
- Date
- Thread