Re: stop/start iptables vs. "iptables-restore"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alex Tang wrote:

Hi folks,
We run a linux based product (RHEL4 based, kernel-2.6.9-55, and iptables-1.2.11). During the running of the product, when we make changes to the iptables configuration, we use the SysV-like RHEL script "/etc/init.d/iptables restart", which effectively stops iptables, unloads all of the iptables based kernel modules, then starts iptables and all the kernel stuff. A colleague recently asked why we're not using "iptables-restore" instead of the script which does "stop/start". I'm looking to see if you know of any reasons why we should or should not use iptables-restore vs. "stop/start". Does it matter if the number of connections on the system is high? Our product can sometimes handle many millions of connections per day.
The RHEL start/stop scripts do use iptables-save and -restore. They are as efficient as they can be. 

HTH,
M4
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux