On 01.06.2010 13:26, rk@xxxxxx wrote: > I should clarify some facts about my conditions. > > Whole iptables ruleset is represented by few files in /etc. Some of them > are generated, some of them are hand written. I am able to feed /etc > rules to iptables-restore or execute them as shell script. This is > trivial. Although iptables-restore is faster than executing iptables in > shell script, it is still very slow sometimes. Changes in /etc ruleset > are small but frequent. But primarily both solutions reset couters if > used and it is not good for me now. So I ended with script that does > incremental updates. iptables[-save/restore] have a -c switch to save/restore counters. > > My script takes iptables-save output as first argument and desired > ruleset declared in /etc files as second argument (but generally any two > inputs). In first step it converts both inputs to comparable form and > builds ruleset in internal representation. Then comes iptables_diff > method, that is able to generate two rules > > iptables -D SSH 10 > iptables -I SSH 10 -j REJECT -s 2.3.2.3 > you could use -R here. if many rules look like that, use ipset? > if rule 10 in chain SSH differs in first and second ruleset. It mostly > works but it needs constant maintenance because of changes in iptables > itself so I am not satisfied. I believe that it works as I intended > because this utility dramaticaly lower reload times of firewalls on our > busy routers. As I said, changes are small. Restoring 10000 rules via > iptables-restore is often more slow than my python processing and > executing two iptables commands. using the -n switch of iptables-restore you might be able to create 'smaller' changes. Best regards Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
