From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 699371381F3 for ; Sun, 13 Oct 2013 15:20:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8E56AE09F0; Sun, 13 Oct 2013 15:19:59 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 82163E09E2 for ; Sun, 13 Oct 2013 15:19:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id C552C33EFBA for ; Sun, 13 Oct 2013 15:19:57 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.117 X-Spam-Level: X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5.5 tests=[AWL=-0.579, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.536, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQbRX8gie0sE for ; Sun, 13 Oct 2013 15:19:51 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5849133EFA9 for ; Sun, 13 Oct 2013 15:19:49 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VVNSN-0000BV-Ai for gentoo-user@gentoo.org; Sun, 13 Oct 2013 17:19:47 +0200 Received: from lounge.imp.fu-berlin.de ([160.45.42.83]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 13 Oct 2013 17:19:47 +0200 Received: from vaeth by lounge.imp.fu-berlin.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 13 Oct 2013 17:19:47 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Martin Vaeth Subject: [gentoo-user] Re: scripted iptables-restore Date: Sun, 13 Oct 2013 15:19:26 +0000 (UTC) Message-ID: References: <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <525AAADE.7040700@orlitzky.com> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: lounge.imp.fu-berlin.de User-Agent: slrn/pre1.0.0-26 (Linux) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Archives-Salt: d3bd70c1-1277-496e-a39c-31933827c6a7 X-Archives-Hash: 97796ccb7d9522bffe1e7c03e7d9b101 Michael Orlitzky wrote: > On 10/13/2013 06:08 AM, Martin Vaeth wrote: >>>> 5. You can't script iptables-restore! >>> >>> Well, actually you can script iptables-restore. >> >> For those who are interested: >> net-firewall/firewall-mv from the mv overlay >> (available over layman) now provides a separate >> firewall-scripted.sh >> which can be conveniently used for such scripting. >> > [...] > If you have a million rules and you need to wipe/reload them all > frequently you're probably doing something wrong to begin with. I don't know how this is related with the discussion. The main advantage of using iptables-restore is avoidance of race conditions. A secondary advantage is a speed improvement; in my case, the machine boots about 2 seconds faster which can be a considerable advantage if you start virtual machines. > With bash [...] (I would use a POSIX shell because it is considerably faster, but this need not be discussed here.) That's why I said that it can be scripted (which was my motivation to write firewall-scripted.sh): firewall-scripted.sh (or some similar script) gives you exactly the same advantages, but without races, and faster. In your example: > function static_nat() { > iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" > iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" > } Essentially, you just have to replace "iptables" by "FwmvTables 4". If you are too lazy to use a text editor or to replace "iptables" by a variable (like $iptables) you can do this even by defining the function: iptables() { FwmvTables 4 "${@}" } Then you just put in front of your script the line . firewall-scripted.sh and in the end (or before you call exit): FwmvSet 4 That's it... > I'm not saying you can't do all of this with iptables-restore, just that > you're punishing yourself for little benefit if you do. *Using* firewall-scripted.sh is as convenient as using iptables directly (you just replace one command and add two lines to your script). Of course, the disadvantage is that some day firewall-scripted.sh might break with iptables (and that maybe the script still has bugs...). As I said, it would be better if something similar would be provided by iptables itself. But the advantages are clear.