>> Even though I just implemented this, I have some serious misgivings, the
>> main one being inconsistency. Lets take the following example:
>>
>> iptables -t raw -N foo_raw
>> iptables -N foo_filter
>> iptables -t raw -A foo_raw -m condition --condition foo --init 1
>> iptables -A foo_filter -m condition --condition foo --init 0
>>
>>
>> Since the "condition" match operates on the first-rule-wins basis, "foo"
>> will have been initialised with a value of "1" (enabled).
>>
>> When executing iptables-save, these values would have been included in
>> the resulting restore file as well, however, the order in which
>> iptables-save operates isn't guaranteed to be the order in which "foo"
>> has been initialised. Simply put, "foo" is not guaranteed to be "1" after
>> iptables-save/iptables-restore cycle is complete. The same is valid if
>> last-rule-wins is adopted.
>>
>> Even if I show the current value of "foo" when iptables -L is executed (1
>> in my example above), or, include this same value in iptables-save, this
>> would be, again, inconsistent with what was originally entered. So, it is
>> a heads I lose, tails you win type scenario.
>
> If you simply use the current value in 'save', all rules referencing the
> condition should be consistent unless there is a iptables-restore/"echo >
> /proc/..." race, right?
Even if I do that, this will be inconsistent with what was originally entered
(see "--init 0" above). Not to mention that when I execute the last statement
in my example above and then issue "iptables -L -vn" this will print a value of
"1" where I initially entered "0", which is inconsistent to say the least.
Besides, the content of a file isn't guaranteed to be the same unless that file
has an explicit lock, so, no, that file content ("1" in our case) isn't
guaranteed to be in iptables-save either.
------------------------------------------------------------------------------
Keep yourself connected to Go Parallel:
TUNE You got it built. Now make it sing. Tune shows you how.
http://goparallel.sourceforge.net
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
