Hey Jozsef. On Wed, 2012-12-19 at 22:01 +0100, Jozsef Kadlecsik wrote: > > Of course I understand that it could not delete sets which are in use, > > but at least it could empty them. > Restore mode is flexible. If you want the sets to be emptied first, then > start with the flush command (in the file). Phew... I'd rather say it's less powerful... if someone really want's fine grained control, he can still use the single commands. restore is even documented in the ipset manpage to do what e.g. iptables restore does... getting the session back... but it doesn't. I think that should definitely be documented better. > > Now when I use the following instead: > > ipset flush > > ipset destroy > > ipset restore < file > > Why do you destroy the sets? Well if you have long running systems and sets get unused one probably want's to release their memory. btw: "ipset destroy" fails if a single set still contains entries... wouldn't it be better if all empty sets are destroyed and it only fails on those which are not? > If the sets are in use then you cannot delete > them at all. I understand that this might be necessary from a technical point of view,.. but wouldn't it be simply possible to consider non-existing sets to be empty sets? > If you are not concerned that for a very small time the sets are empty, > then simply start with the flush command in the restore file and that's > all (I don't see why you'd want to destroy those). Well I'd have expected that everybody would be concerned... when you have some high speed network you surely will loose packets... > If you want to avoid the time while the sets are empty, then use the > sequence of > > - restore into a temporary set > - swap the set with the temporary one > - destroy the temporary set Thanks... this is at least a way... but unfortunately someone that implies some additional programming effort... Actually the above would be what one would expect from the restore command, I guess. No chance that the semantics are changed here? Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
