From mboxrd@z Thu Jan 1 00:00:00 1970 From: Reindl Harald Subject: Re: Reload IPtables Date: Mon, 28 Jun 2021 12:17:11 +0200 Message-ID: <83719383-c18d-dcb6-07f6-f123872fa68b@thelounge.net> References: <08f069e3-914f-204a-dfd6-a56271ec1e55.ref@att.net> <08f069e3-914f-204a-dfd6-a56271ec1e55@att.net> <4ac5ff0d-4c6f-c963-f2c5-29154e0df24b@hajes.org> <6430a511-9cb0-183d-ed25-553b5835fa6a@att.net> <877683bf-6ea4-ca61-ba41-5347877d3216@thelounge.net> <96559e16-e3a6-cefd-6183-1b47f31b9345@hajes.org> <16b55f10-5171-590f-f9d2-209cfaa7555d@thelounge.net> <54e70d0a-0398-16e4-a79e-ec96a8203b22@tana.it> <8395d083-022b-f6f7-b2d3-e2a83b48c48a@tana.it> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <8395d083-022b-f6f7-b2d3-e2a83b48c48a@tana.it> Content-Language: en-US List-ID: Content-Type: text/plain; charset="utf-8"; format="flowed" To: Alessandro Vesely , netfilter@vger.kernel.org Am 28.06.21 um 11:23 schrieb Alessandro Vesely: > A complex script doesn't have to be error prone. it is by definition more error prone than a simple restore which has exactly that job and it makes no sense to argue about such simple facts do what you want but stop talking nonense when it comes to best practice > Speed is not a concern, given that boot only happens once every few months. i care always about speed > Setting iptables atomically is not needed because ip link set $interface > up commands are issued after iptables -A ones. irrelevant >> # NIC-Konfiguration >> ExecStart=-/usr/sbin/ethtool -G lan rx 512 tx 256 >> ExecStart=-/usr/sbin/ethtool -K lan lro off >> ExecStart=-/usr/sbin/ethtool -G wan rx 512 tx 256 >> ExecStart=-/usr/sbin/ethtool -K wan lro off > > > I hadn't had to do that, yet (been lucky with autoconf?) bla - you don't want LRO on a router because it breaks end-to-end principle and maybe you heard about buffer bloat >> # Sicherstellen dass 'sysctl' angewendet wird >> ExecStart=-/usr/sbin/sysctl -q --load=/etc/sysctl*.conf > > > Shouldn't this be automatic? what when i don't want that automatic to avoid all sort of warnings when that automatic fires before iptables is loaded and so all the conntrack values are unknown? > I set up DHCP independently of the network.  It only listens to the > internal interface, so it's somewhat easier.  I consider it a separate > issue you didn't realize the difference between dhcp client/server!