On 03/13/2010 01:29 PM, Sven-Haegar Koch wrote:
On Sat, 13 Mar 2010, Robert Nichols wrote:
As for iptables, if you're using a high-level firewall builder to
generate the rules, then yes, it will probably reload the entire rule
set if you make any change. If you work at a lower level and use the
'iptables' command directly, then only the rule you add or change is
affected. You can confirm that quite easily by running "iptables -vnL"
before and after the change and observing that the packet counts for
the other rules do not get reset.
No, this is not correct.
The iptables command downloads the whole ruleset from the kernel,
including current counter values, modifies the downloaded version, and
then uploads the whole resulting ruleset (again, with counter
values) into the kernel again.
This "download whole ruleset, modify in userspace, upload" cycle is why
iptables-restore is so much faster than multiple calls to the iptables
program - it only downloads once, applies all changes from the input,
and then uploads back to the kernel once.
Indeed! I looked at the iptables source, and that's exactly what happens.
Learn something new every day. Thanks for the correction.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
