* Balazs Scheidler wrote, On 02/08/06 08:04: > On Tue, 2006-08-01 at 21:18 +0200, Sven Schuster wrote: >> as this would require the complete chain (say, INPUT or >> OUTPUT) to be "downloaded" to userspace, modified and then again >> "uploaded" to the kernel. At least until iptables redesign to >> allow replacement/insertion/deletion of single rules is completed >> which if started at all will take quite some more time :-) > > Iptables operates on a per-table basis, so it is not only the INPUT or > OUTPUT chain that needs to be down and uploaded, but the whole filter > table. > > And in addition, in my humble opinion the iptables ruleset should be up > to the user to maintain, once some kind of automatism starts to > add/remove rules on the fly, it becomes more difficult to do other > changes to add independent rules to the table. For example the user > needs to save the current ruleset using iptables-save, then modify the > resulting file, and then load it again. If the ruleset is generated as > it happens with a lot of tools, this might not be so easy. >
Even without this scenario it is not easily safe; if two interfaces chanegd at the same time, two copies of iptables would be downloaded to user space, both modified differently and the last one to be uploaded would win, the other one loosing its changes. This has bitten me and is one of my reasons for liking ipt_condition Sam - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
