Am 29.06.21 um 16:52 schrieb slow_speed@xxxxxxx:
On 6/28/21 10:02 PM, Neal P. Murphy wrote:
On Mon, 28 Jun 2021 10:43:10 +0100
Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
Now you benefit from atomicity (the rules will either be committed at
once, in full, or not at all) and proper error handling (the exit
status value of iptables-restore is meaningful and acted upon).
Further, should you prefer to indent the body of the heredoc, you may
write <<-EOF, though only leading tab characters will be stripped out.
[minor digression]
Is iptables-restore truly atomic in *all* cases? Some years ago, I
found through experimentation that some rules were 'lost' when
restoring more than 25 000 rules. If I placed a COMMIT every 20 000
rules or so, then all rules would be properly loaded. I think COMMITs
break atomicity. I tested with 100k to 1M rules. I was comparing the
efficiency of iptables-restore with another tool that read from STDIN;
the other tool was about 5% more efficient.
Please explain why you might have so many rules. My server is pushing
it at a dozen
likely because people don't use "ipset" and "chains" instead repeat the
same stuff again and again so that every single package has to travel
over hundrets and thousands of rules :-)
