'swap table' feature

'swap table' feature

[Neal Murphy]

I knew I'd eventually remember why I subscribed to this list....

While working on enhancing my firewall, it occurred to me that it'd be real 
nice to have a 'swap chain' feature in iptables that is equivalent to the 
'swap set' feature in ipset.

Such a feature would minimize the amount of time that rules are unavailable 
when adding, changing or deleting them. At present, all the rules in the chain 
being modified are deleted, then the new rules are added. So there is a period 
of time, albeit brief, that rules are not available in that chain.

Were there a 'swap chain' command, one could build a new chain of the changed 
rules, swap the new and old chains, then flush and delete the new (now old) 
chain. This would all but guarantee that no packets 'slip by' (are 
overlooked).

Thanks,
N

Re: 'swap table' feature

[Jan Engelhardt]

On Wednesday 2012-05-23 23:25, Neal Murphy wrote:

>I knew I'd eventually remember why I subscribed to this list....
>
>While working on enhancing my firewall, it occurred to me that it'd be real 
>nice to have a 'swap chain' feature in iptables that is equivalent to the 
>'swap set' feature in ipset.

>Such a feature would minimize the amount of time that rules are unavailable 
>when adding, changing or deleting them. At present, all the rules in the chain 
>being modified are deleted, then the new rules are added. So there is a period 
>of time, albeit brief, that rules are not available in that chain.

What, never heard of iptables-restore? Atomic replace has been in 
iptables since a long long time.

Re: 'swap table' feature

[Neal Murphy]

On Wednesday 23 May 2012 17:53:39 Jan Engelhardt wrote:
> On Wednesday 2012-05-23 23:25, Neal Murphy wrote:
> What, never heard of iptables-restore? Atomic replace has been in
> iptables since a long long time.

Well, yes, I've heard of, and have used, iptables-restore. But I don't recall 
ever seeing mention of such a feature or how it works. Now that I'm aware of 
it, I's'll have to investigate.

Thanks,
N

Re: 'swap table' feature

[Neal Murphy]

On Wednesday 23 May 2012 17:53:39 Jan Engelhardt wrote:
> What, never heard of iptables-restore? Atomic replace has been in
> iptables since a long long time.

Yes, now that a few more neurons have fired, I experimented with iptables-
restore a while back.

I tested iptables-restore alongside Smoothwall/Roadster's ipbatch (custom 
libiptc interface). I don't recall the system details exactly; the kernel 
would've been around 2.6.32 and iptables would've been around 1.4.8. SWE3's 
ipbatch program was generally 5% faster than iptables-restore. Nothing to 
write home about. The bigger deal was that both programs exhibited errors when 
I applied more than 14k-25k rules without a commit. As long as there was a 
commit every 14k-25k rules, I could enter well over 250k rules; IIRC, I 
entered more than 1M rules a time or two.

Granted, not many systems have more than 14k rules. And I haven't tested newer 
versions of the software since. But I believe that 14k-25k limit was enough to 
prevent a larger table from being atomically replaced.

N