On 6/28/21 10:02 PM, Neal P. Murphy wrote:
On Mon, 28 Jun 2021 10:43:10 +0100
Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
Now you benefit from atomicity (the rules will either be committed at once, in full, or not at all) and proper error handling (the exit status value of iptables-restore is meaningful and acted upon). Further, should you prefer to indent the body of the heredoc, you may write <<-EOF, though only leading tab characters will be stripped out.
[minor digression]
Is iptables-restore truly atomic in *all* cases? Some years ago, I found through experimentation that some rules were 'lost' when restoring more than 25 000 rules. If I placed a COMMIT every 20 000 rules or so, then all rules would be properly loaded. I think COMMITs break atomicity. I tested with 100k to 1M rules. I was comparing the efficiency of iptables-restore with another tool that read from STDIN; the other tool was about 5% more efficient.
Please explain why you might have so many rules. My server is pushing
it at a dozen.