Thomas Delrue on 29 Aug 2015 12:59:31 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Behavior of iptables-save and iptables-restore when run concurrently 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



Hello,

I have a bit of a weird question about the behavior of iptables-save and
iptables-restore when run at the same time.

Let's say that I have a situation like this:
- - My rules contain chains called FOO, BAR and BAZ which each contain a
bunch of goodies.
- - I don't want to change what FOO or BAZ look like
- - But, occasionally, I want to regenerate what the BAR chain should look
like, as in: I want to completely rewrite the entire BAR chain from
scratch. This is done by a program at certain intervals.

What I'd like to do is do a popen("iptables-save", "r") and as I read
the contents from it, I was thinking of directly piping it into
iptables-restore (using popen("iptables-restore", w"))
I happily write whatever is coming from the iptables-save pipe into the
pipe for iptables-restore and as soon as I encounter the starting point
for my 'BAR' chain, instead of writing the content of the BAR chain
coming from the iptables-save pipe, I write my new (full) content for
what BAR should look like.
Then I let iptables-save continue until it sees the end of the (old) BAR
chain data after which I just happily continue to pipe what is coming
from the iptables-save pipe into the iptables-restore pipe thus
preserving what was there originally for everything except for my BAR
chain which now contains the new information.

My questions are the following:
- - Will this work? Will iptables-restore wait to apply the incoming data
until it has seen everything or will it apply it as it comes in and
influence what is coming in through my other pipe from -save?
- - At what point does the incoming data get applied? Does it occur upon
my call to pclose(iptables_restore_pipe)?

I seem to recall someone mentioning that iptables-restore was atomic, so
I would guess that it would wait with applying until it sees an EOF
(pclose()?) or OCMMIT but I wanted to double check.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJV4g8bAAoJEKosl9oIs/pOnKQQAJef4TH+UiXITrpANLO9txkZ
T5e6CzYWfCOPgqUhg3DLwXSswXUnLBTr/niRILUVhiI6M9q3dW7vhPhTIFQmRvmB
x0mfpzVfI1j7eYsgjpugMavh1F8UbcH9CICk7Q6IP8boJ4DQvVrJ/TKUgr/y/Fdz
VrfLynOpFGkNH+q0PVG5qhOgY3hAyp1gPEUl92AGHqcpbSBgHu4oI0rOuXKnIDfb
C7ODFc7TJhmfD97upw1goU43QyoEELXaeU2SRzuVmeIgFoPLJtMve6ZuGNgwBCGs
KxIAqwhIgs9hPpvSN+IbsJBQhPJIcow3DqIhHFIN+kNGJS9+iLFwSfqjSvh5KYuI
3LVOYKIo2U2ziFhcdxQ5HhalgmS7iEroamB434FaICehKxyCSwsmriyccGTnl2QU
S25SD3F6b5usmvVf7miM+mS6jWPRHxg/fh4yOuEIwq7IBhTiL8GrUOG4sOFOuV5F
pd4w5QxEwxFXUL92Qr7mLJwDUJE/5VIBsTlmOhaAYRDrHLk8Yd5ov47BFNFVbibi
fGpRvTgbbHGvYcFJpM4uQUUsY3Wvtggbc0e+1wpNLfC9/8AvQ03Twl+932/W9iO1
+fMOcADXT8X6H7g/6aaOu7mzK+n9AMt8iJjlY/psXaOkdRc9hUA7w9i2xRlAqeEB
pWjyZk/x7+GLFGgJ+PM1
=reRW
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug