1 |
Michael Orlitzky <michael@××××××××.com> wrote: |
2 |
> On 10/13/2013 06:08 AM, Martin Vaeth wrote: |
3 |
>>>> 5. You can't script iptables-restore! |
4 |
>>> |
5 |
>>> Well, actually you can script iptables-restore. |
6 |
>> |
7 |
>> For those who are interested: |
8 |
>> net-firewall/firewall-mv from the mv overlay |
9 |
>> (available over layman) now provides a separate |
10 |
>> firewall-scripted.sh |
11 |
>> which can be conveniently used for such scripting. |
12 |
>> |
13 |
> [...] |
14 |
> If you have a million rules and you need to wipe/reload them all |
15 |
> frequently you're probably doing something wrong to begin with. |
16 |
|
17 |
I don't know how this is related with the discussion. |
18 |
The main advantage of using iptables-restore is avoidance of |
19 |
race conditions. A secondary advantage is a speed improvement; |
20 |
in my case, the machine boots about 2 seconds faster which can |
21 |
be a considerable advantage if you start virtual machines. |
22 |
|
23 |
> With bash [...] |
24 |
|
25 |
(I would use a POSIX shell because it is considerably faster, |
26 |
but this need not be discussed here.) |
27 |
|
28 |
That's why I said that it can be scripted |
29 |
(which was my motivation to write firewall-scripted.sh): |
30 |
|
31 |
firewall-scripted.sh (or some similar script) gives you exactly |
32 |
the same advantages, but without races, and faster. |
33 |
In your example: |
34 |
|
35 |
> function static_nat() { |
36 |
> iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" |
37 |
> iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" |
38 |
> } |
39 |
|
40 |
Essentially, you just have to replace "iptables" by "FwmvTables 4". |
41 |
If you are too lazy to use a text editor or to replace "iptables" |
42 |
by a variable (like $iptables) you can do this even by |
43 |
defining the function: |
44 |
|
45 |
iptables() { |
46 |
FwmvTables 4 "${@}" |
47 |
} |
48 |
|
49 |
Then you just put in front of your script the line |
50 |
|
51 |
. firewall-scripted.sh |
52 |
|
53 |
and in the end (or before you call exit): |
54 |
|
55 |
FwmvSet 4 |
56 |
|
57 |
That's it... |
58 |
|
59 |
> I'm not saying you can't do all of this with iptables-restore, just that |
60 |
> you're punishing yourself for little benefit if you do. |
61 |
|
62 |
*Using* firewall-scripted.sh is as convenient as using iptables directly |
63 |
(you just replace one command and add two lines to your script). |
64 |
Of course, the disadvantage is that some day firewall-scripted.sh might |
65 |
break with iptables (and that maybe the script still has bugs...). |
66 |
As I said, it would be better if something similar would be provided |
67 |
by iptables itself. But the advantages are clear. |