Re: Reload IPtables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat 26/Jun/2021 12:43:45 +0200 Reindl Harald wrote:

/usr/sbin/ipset -file /etc/sysconfig/ipset restore
/usr/sbin/iptables-nft-restore /etc/sysconfig/iptables
/usr/sbin/sysctl -q --load=/etc/sysctl*.conf

that way first all rules are loaded atomic and *then* "ip_forward" and friends are set to avoid a leak at boot

it may be good for you pro administrators with complex configurations...I have all in one file and do not need to bother about 1ms lost during reload nor seeking 10 different config files for simple tasks and wasting hours by config. I like easy life.

mixing things together which don't belong together like iptables and sysctl is the opposite of simple as well as running a ton of commands at boot where it should be a oneliner is also the opposite


I'm with David here. Besides sysctl and ipset, there are lots of ip commands, modprobe's, vconfig, and a couple of home-brewed daemons (ipqbdb). A soundly commented script captures the logic of the network and can be maintained with more coherence than raw commands accumulated along the way. The only drawback is that most changes, for example punching a hole in the firewall, have to be applied twice, in the boot script as well as directly in a terminal.


Best
Ale



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux