From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1A6B71381F3 for ; Fri, 4 Oct 2013 21:58:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DBF78E0AA6; Fri, 4 Oct 2013 21:58:16 +0000 (UTC) Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D95F5E0A5E for ; Fri, 4 Oct 2013 21:58:15 +0000 (UTC) Received: from [172.17.29.6] (vpn1.metro-data.com [65.213.236.242]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.viabit.com (Postfix) with ESMTPSA id 3cs4hk5B2Xz1hfj for ; Fri, 4 Oct 2013 17:58:14 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orlitzky.com; s=mail2; t=1380923894; bh=ZV/efUhbb3QhtQeiBYTp4T6P0+E93Xu7reZvIOXOfoI=; h=Date:From:To:Subject:References:In-Reply-To; b=xGTlfF6TwWQM1/dQL7q2xM5yQGTtxIW0KyyT07ZhgkQrcdNGkKWw0FwPnt18ekvui Mz4F32vYhhZxOuyPeP8uTQPmmU40RtvhOYe6yozvkEAYHFTPTwkJogN729lhaRWidg TlGislXZiUdofRPb+vSS7eJf0Su8DkdvwXPjpUpE= Message-ID: <524F39F6.4040409@orlitzky.com> Date: Fri, 04 Oct 2013 17:58:14 -0400 From: Michael Orlitzky User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130929 Thunderbird/17.0.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Where to put advanced routing configuration? References: <524DD388.9020507@fastmail.co.uk> In-Reply-To: <524DD388.9020507@fastmail.co.uk> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 9be53ee2-66ef-4b6d-8530-aee1cac4af0c X-Archives-Hash: c3d98c576d4f09afbdb80096626ff2c5 On 10/03/2013 04:28 PM, Kerin Millar wrote: > > The iptables runscript is ideal for persisting the rules. However, > during the initial construction of a non-trivial ruleset, I prefer to > write a script that adds the rules. An elegant way of doing this is to > use iptables-restore with a heredoc. The method - and its advantages - > are described in this document (section 3): > > http://inai.de/documents/Perfect_Ruleset.pdf > This advice is dubious in my opinion. The `iptables` command line is the published interface to iptables. The iptables-restore syntax is an implementation detail, subject to change at any time. Here are his arguments: 1. Calling iptables repeatedly is slow. Who cares? How often do you invoke the script? Once or twice a year when you change it. 2. There is an opportunity for someone to bypass the rules between dropping/recreating them. Again, you run the script once or twice a year. Turn off the interface beforehand if a few microseconds per year is too long to run without a firewall. And my counterarguments: 1. The iptables-restore syntax is uglier and harder to read. 2. You get better error reporting calling iptables repeatedly. 3. The published interface will never change; iptables-restore reads an input language whose specification is "whatever iptables-save outputs." 4. A bash script is far more standard and less confusing to your coworkers. 5. You can't script iptables-restore! What if you want to call sed, cut, or grep on something and pass that to iptables? You can write a bash script that writes an iptables-restore script to accomplish the same thing, but how much complexity are you willing to add for next to no benefit?