On Wednesday 2012-08-22 19:35, /dev/rob0 wrote: >On Mon, Aug 20, 2012 at 10:21:37PM -0400, Neal Murphy wrote: >> On Monday 20 August 2012 20:30:26 /dev/rob0 wrote: >> > The main benefit is that iptables-restore is atomic. All changes >> > are committed in one pass. Any error in the ruleset means your >> > existing ruleset is not replaced. >> >> [Minor digression] >> By 'atomic', do you mean that all of the changes are made with a >> single COMMIT, regardless of how many tables are accessed and >> regardless of how many rules are processed? > >I don't know. I was hoping that someone familiar with the source >would answer. COMMIT is for each table separately, hence the atomicity is also at the table level. >> It's been my experience that there is an implicit COMMIT at every >> table change, and there is a ballpark limit of around 20,000 rules >> per commit. Thus: There is an upper limit, each table can be at most 4 GB in size. But it will *always* be atomic - that is to say, an incoming packet will always have some table (either the old, or its replacement) to be processed with. The most massive real-world ruleset to date has been Jesper's with 662160 rules (in 151426 chains) weighing in at "only" 149 MB. >> - If the changes to a table contain more than around 20,000 rules, >> then that operation will require more than one COMMIT and will >> NOT be atomic. No no no.. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
