Re: Reload IPtables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Am 28.06.21 um 13:47 schrieb Alessandro Vesely:
On Mon 28/Jun/2021 12:17:11 +0200 Reindl Harald wrote:
Am 28.06.21 um 11:23 schrieb Alessandro Vesely:
A complex script doesn't have to be error prone.

it is by definition more error prone than a simple restore which has exactly that job and it makes no sense to argue about such simple facts


As Kerin showed, restore is not intrinsically simpler, as it has to deal with the same amount of data.  It is only laid down in a different format.

for the sake of god you are not supposed to deal with that format as human at all - you only need to know where you write it and load it from there

The shell format is more verbose, but has some advantages:

not at boot time

* it allows to test each single command separately

off-topic in the case of reload the complete ruleset

* its format is time-honored and fully documented.

off-topic in the case of reload the complete ruleset

do what you want but stop talking nonsense when it comes to best practice

One "best practice" that I'd object to is blindly restoring whatever was saved on shutdown.  How can one control that?  Booting with some clean, well-defined data looks safer

WTF: there is nothing magically or blindly saved and changed at shutdown, it's the whole state as it was, the outcome from your script

do you guys not realize that your shellscripts are fine as mine are but at the end the iptables ruleset has a defined state which want you have restored 1:1 at boot

this whole discusssion is embarrassing and especially when the target audience in this case is a noob-user it's idiotic not follow best practices

nobody gives a shit how you create the ruleset and nobody right in his mind would touch the save-file by anything else but "iptables-save --file path" as nobody right in his mind would load it by anything else than "iptables-nft-restore path"

arguments like "i don't care if it's atomic in my special situation" and "i don't care how long it takes in my special situation" are dumb in context of the subject

please stop spreading bullshit - we have enough idiots out there blindly follow whatever they read whereever on the internet without the slightest clue what they are doing

YOU can do what you want on YOUR machine but best practices are there to avoid endless threads over and over again when someone has a problem and nobody knows about his setup and your "i do everything like i want" is off-topic



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux