From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 76D971381F3 for ; Fri, 11 Oct 2013 07:19:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 07A45E0AB7; Fri, 11 Oct 2013 07:19:08 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 06D8BE0944 for ; Fri, 11 Oct 2013 07:19:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 4ACDD33EF74 for ; Fri, 11 Oct 2013 07:19:06 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -0.985 X-Spam-Level: X-Spam-Status: No, score=-0.985 tagged_above=-999 required=5.5 tests=[AWL=-0.785, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.198, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3QNIy9atFF1i for ; Fri, 11 Oct 2013 07:19:00 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1B23F33EE7F for ; Fri, 11 Oct 2013 07:18:58 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VUWzw-0003d1-Bw for gentoo-user@gentoo.org; Fri, 11 Oct 2013 09:18:56 +0200 Received: from lounge.imp.fu-berlin.de ([160.45.42.83]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 11 Oct 2013 09:18:56 +0200 Received: from vaeth by lounge.imp.fu-berlin.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 11 Oct 2013 09:18:56 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Martin Vaeth Subject: [gentoo-user] Re: Where to put advanced routing configuration? Date: Fri, 11 Oct 2013 07:18:35 +0000 (UTC) Message-ID: References: <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: lounge.imp.fu-berlin.de User-Agent: slrn/pre1.0.0-26 (Linux) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Archives-Salt: 5ae48b6a-5b74-4bb5-afdd-9b20e7904755 X-Archives-Hash: 31d8ac1ed1c35529c387d0c840b3896c Michael Orlitzky wrote: > > And my counterarguments: > > 1. The iptables-restore syntax is uglier and harder to read. > > 2. You get better error reporting calling iptables repeatedly. > > 3. The published interface will never change; iptables-restore reads an > input language whose specification is "whatever iptables-save outputs." > > 4. A bash script is far more standard and less confusing to your coworkers. > > 5. You can't script iptables-restore! Well, actually you can script iptables-restore. In fact, you can write a function "ip4tables" which emulates the behaviour of ip4tables by storing data in variables which are then later passed to iptables-restore, and so the user sees almost no difference although race conditions are avoided. However, 3. is a severe problem for such complex functions. There should be an official way how to avoid races, e.g. if ip4tables itself would be able to successively extend an output file which can then be used for iptables-restore. If you have contact to the iptables developers, please suggest such a thing. Or maybe somebody has a bette idea?