Re: Reload IPtables

From: slow_speed@att.net
To: Reindl Harald <h.reindl@thelounge.net>,
	"Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Reload IPtables
Date: Tue, 29 Jun 2021 12:50:03 -0400	[thread overview]
Message-ID: <6e79f7e4-2954-b1e6-2efe-201cdf867d32@att.net> (raw)
In-Reply-To: <9dab1af3-3041-0fc0-e5d0-bd377ede37a3@thelounge.net>

On 6/29/21 11:18 AM, Reindl Harald wrote:
> 
> 
> Am 29.06.21 um 16:52 schrieb slow_speed@att.net:
>>
>>
>> On 6/28/21 10:02 PM, Neal P. Murphy wrote:
>>> On Mon, 28 Jun 2021 10:43:10 +0100
>>> Kerin Millar <kfm@plushkava.net> wrote:
>>>
>>>> Now you benefit from atomicity (the rules will either be committed 
>>>> at once, in full, or not at all) and proper error handling (the exit 
>>>> status value of iptables-restore is meaningful and acted upon). 
>>>> Further, should you prefer to indent the body of the heredoc, you 
>>>> may write <<-EOF, though only leading tab characters will be 
>>>> stripped out.
>>>>
>>>
>>> [minor digression]
>>>
>>> Is iptables-restore truly atomic in *all* cases? Some years ago, I 
>>> found through experimentation that some rules were 'lost' when 
>>> restoring more than 25 000 rules. If I placed a COMMIT every 20 000 
>>> rules or so, then all rules would be properly loaded. I think COMMITs 
>>> break atomicity. I tested with 100k to 1M rules. I was comparing the 
>>> efficiency of iptables-restore with another tool that read from 
>>> STDIN; the other tool was about 5% more efficient.
>>>
>>
>> Please explain why you might have so many rules.  My server is pushing 
>> it at a dozen
> 
> likely because people don't use "ipset" and "chains" instead repeat the 
> same stuff again and again so that every single package has to travel 
> over hundrets and thousands of rules :-)

Exactly my thoughts.  Of course I understand that there may be long 
lists in some odd situations, but I wonder what kind of server is being 
referenced.