Menu
▾
▴
[Shorewall-devel] Re: IPTables simulator (was: Re: [Shorewall-users] Restart and lost connections)
|
From: Tom E. <te...@sh...> - 2003-08-20 00:45:12
|
On Tue, 19 Aug 2003, Diego Rivera wrote: > On Tue, 2003-08-19 at 17:04, Tom Eastep wrote: > > On Tue, 2003-08-19 at 15:31, Diego Rivera wrote: > > I think that by radically re-ordering how things are done in Shorewall, > > these can be left until last. > > I'll have to look at the whole of the shorewall start and where these > commands are called to see if this reordering is truly necessary - but > for now I'll take your word for it and assume that it is. > If you execute them in line then can't instantiate the iptables-save file, what do you do? > > The state that would be interrogated in my implementation would be a lot > > more current than might be the case in yours. With yours, the > > iptables-save file could have been created two weeks ago; with mine, it > > would be within the last minute or so. Big difference. > > Actually, what I propose is generating the iptables-save file every time > (and possibly saving a backup beforehand just to be safe in case an > error comes along), so there wouldn't be an issue with stale state since > the state would be as current as the lastly applied dump file. > > Does that make sense? > Ok -- that's roughly equivalent to my last proposal. > > > > Most of the out-of-order rules manipulation occurs during "shorewall > > add". > > And I assume this portion draws heavily from the saved state to know > where things need to be added. Yes. > Quite right! > > > I would have to do an inventory of what's there as well. Those parts of > > Shorewall that haven changed in a year or so are rather fuzzy to me :-) > > > > I'll get going on this send it to you so you can compare notes and > correct me where I'm wrong. > Seems fair. > > I'll throw out another idea. > > > > a) Enhance "shorewall save" to invoke "iptables-save". > > b) Reorder how Shorewall starts as we've been talking about so that it > > can take advantage of a iptables-save file if one exists. > > c) Implement a "shorewall [re]start !" option which ignores the > > iptables-save file. > > > > I think this is a lot easier than either of the other proposals. It > > still requires that those commands that are dependent on the current > > state to be handled somehow. But that's only one problem whereas the > > other proposals have more difficult ones I think. > > That makes sense - I'll certainly keep this in mind as one of the main > options. This for sure seems less work than any of the others, and is > certainly less impacting to shorewall. > I agree. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ te...@sh... |
