Hi guys I resend this patchset because i ported it from 1.3.8 to the current subversion revision 7086 and did some minor changes. I also explain more of it's advantages at the end of this mail. This patchset introduces a new tool called iptables-edit, which allows to apply iptables rules on an iptables-save'd state file (dump) instead of applying it to the kernel. This allows to minimize the outage of firewall script which rebuild the entire ruleset from scratch when something changed within it's configuration. It uses functionality from iptables-save and iptables-restore, therefore the patchset reorganizes those functionality in a separate file iptables-dump.c I will start with man page and ip6tables-edit as well if the patch makes sense to you. Let me do an example and better explaination of the advantages: -------------------------------------------------------------------- $ iptables-save > netfilter.dump $ cat dump # Generated by iptables-save v1.4.0rc1 on Mon Nov 5 00:29:41 2007 *filter :INPUT ACCEPT [17577:13507071] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [19227:2350905] COMMIT # Completed on Mon Nov 5 00:29:41 2007 now you want to apply these rules on the file netfilter.dump: $ cat > rules << EOF iptables -N test iptables -A test -p tcp --dport 80 -j DROP EOF $ iptables-edit -i netfilter.dump < rules > netfilter_edited.dump $ cat netfilter_edited.dump # Generated by iptables-save v1.4.0rc1 on Mon Nov 5 00:33:33 2007 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :test - [0:0] -A test -p tcp -m tcp --dport 80 -j DROP COMMIT # Completed on Mon Nov 5 00:33:33 2007 now you can atomarily commit all the rules at once to the kernel using $ iptables-restore netfilter_edited.dump -------------------------------------------------------------------- Most firewall scripts (for example fwbuilder, shorewall, firehole, etc..) work always this way: - They flush and remove all iptables chains - Apply the iptables rules successively by: o Compile a shell script with an iptables rule per line o Calculating the iptables rules from a configuration file on the fly. Both possibilities have the disadvantage that they cause a network outage between flush and re-creation of the rules, which can loosely be a couple of seconds (which in many cases is way to much outage). Imagine of the shell overhead which causes the execution of the iptables tool when called a several hundreds of times when hundreds of rules need to be applied. iptables-edit allows those scripts to apply the changes to a dump file first and apply then with iptables-restore at once with an outage of a few milli seconds. Another advantage could be something like this: $ iptables-restore netfilter_edited.dump && sleep 10 && \ iptables-restore netfilter.dump which automatically would jump back to the old ruleset if the administrator did something wrong and locket out himself. Please let me know what you think Regards, peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: peter@xxxxxxxxxx
begin:vcard fn:Peter Warasin n:;Peter Warasin org:Endian GmbH/Srl adr:;;Pillhof 47;Frangart/Frangarto;BZ;I-39010;Italien/Italia email;internet:peter@xxxxxxxxxx tel;work:+39 0471 631763 tel;fax:+39 0471 631764 x-mozilla-html:FALSE url:http://www.endian.com version:2.1 end:vcard