| 1 |
Michael Orlitzky <michael@××××××××.com> wrote: |
| 2 |
> On 10/13/2013 06:08 AM, Martin Vaeth wrote: |
| 3 |
>>>> 5. You can't script iptables-restore! |
| 4 |
>>> |
| 5 |
>>> Well, actually you can script iptables-restore. |
| 6 |
>> |
| 7 |
>> For those who are interested: |
| 8 |
>> net-firewall/firewall-mv from the mv overlay |
| 9 |
>> (available over layman) now provides a separate |
| 10 |
>> firewall-scripted.sh |
| 11 |
>> which can be conveniently used for such scripting. |
| 12 |
>> |
| 13 |
> [...] |
| 14 |
> If you have a million rules and you need to wipe/reload them all |
| 15 |
> frequently you're probably doing something wrong to begin with. |
| 16 |
|
| 17 |
I don't know how this is related with the discussion. |
| 18 |
The main advantage of using iptables-restore is avoidance of |
| 19 |
race conditions. A secondary advantage is a speed improvement; |
| 20 |
in my case, the machine boots about 2 seconds faster which can |
| 21 |
be a considerable advantage if you start virtual machines. |
| 22 |
|
| 23 |
> With bash [...] |
| 24 |
|
| 25 |
(I would use a POSIX shell because it is considerably faster, |
| 26 |
but this need not be discussed here.) |
| 27 |
|
| 28 |
That's why I said that it can be scripted |
| 29 |
(which was my motivation to write firewall-scripted.sh): |
| 30 |
|
| 31 |
firewall-scripted.sh (or some similar script) gives you exactly |
| 32 |
the same advantages, but without races, and faster. |
| 33 |
In your example: |
| 34 |
|
| 35 |
> function static_nat() { |
| 36 |
> iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" |
| 37 |
> iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" |
| 38 |
> } |
| 39 |
|
| 40 |
Essentially, you just have to replace "iptables" by "FwmvTables 4". |
| 41 |
If you are too lazy to use a text editor or to replace "iptables" |
| 42 |
by a variable (like $iptables) you can do this even by |
| 43 |
defining the function: |
| 44 |
|
| 45 |
iptables() { |
| 46 |
FwmvTables 4 "${@}" |
| 47 |
} |
| 48 |
|
| 49 |
Then you just put in front of your script the line |
| 50 |
|
| 51 |
. firewall-scripted.sh |
| 52 |
|
| 53 |
and in the end (or before you call exit): |
| 54 |
|
| 55 |
FwmvSet 4 |
| 56 |
|
| 57 |
That's it... |
| 58 |
|
| 59 |
> I'm not saying you can't do all of this with iptables-restore, just that |
| 60 |
> you're punishing yourself for little benefit if you do. |
| 61 |
|
| 62 |
*Using* firewall-scripted.sh is as convenient as using iptables directly |
| 63 |
(you just replace one command and add two lines to your script). |
| 64 |
Of course, the disadvantage is that some day firewall-scripted.sh might |
| 65 |
break with iptables (and that maybe the script still has bugs...). |
| 66 |
As I said, it would be better if something similar would be provided |
| 67 |
by iptables itself. But the advantages are clear. |
Archives