On Mon, 19 May 2008, Thomas Jacob wrote:
If doing a lot of rule changes, you should definitly use iptables-restore
or CPAN perl module IPTables::libiptc.
Incidentally, what happens during the time changes are being processed
by iptables-restore/the kernel. More specifically, do I need to
worry about packets being blocked/dropped when I would do a lot of
rule updates?
Packet will not get dropped while userspace (iptables/libiptc) is making
changes to the ruleset. Its allowed to make many many changes in userspace
before commiting it to the kernel.
When commiting the ruleset to the kernel, the kernel will have both the
old and new ruleset before it swaps the two. I have not measured the
performance hit of swaping the rulesets, but it should be insignificant.
Cheers,
Jesper Brouer
--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html