Le jeudi 08 septembre 2011 à 17:00 +0200, Jan Engelhardt a écrit :
> On Thursday 2011-09-08 15:28, Hiroshi KIHIRA wrote:
> >
> >I propose to add a new command line option to iptables-restore.
>
> I propose on top that it should be made the default, since half
> tables are not really useful to anybody. (This has gone as far as to
> people writing that iptables-apply script, and I'd love to see it
> being replaced by something included in the C code instead.)
>
> >In the situation that some tables are restored, each of tables are
> >applied into the kernel space when the COMMIT statement was read from
> >the input. If there was a syntax error in rules, iptables-restore
> >will end without doing any modification to the table. However the
> >table that was already committed into kernel space does not reverted.
> >[...]
>
> I am in favor of that. Though, I have to add, it actually misses the
> inconsistency case {syntax is accepted, but the options are rejected
> by the kernel}.
>
> What would probably be most desirable is that iptables-restore keeps
> copies in memory of each table it attempted to touch,
> for the eventual case of a rollback.
Unfortunately, keeping a copy into userland memory is not enough to
guarantee a rollback is possible in kernel land.
You might be in an OOM situation preveting new (large) memory
allocations.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
