tags 693177 +patch forcemerge 693177 662743 stop Hi.
First... when iptables-persistent should really support ipsets (which is necessary IMHO)... then I suggest to rename the package and /etc/iptables to netfilter-persistent respectively netfilter. Simply, because it's no longer only iptables persistent I would then create _two_ initscripts, one being iptables-persistent (or for simplicity just iptables) and one ipsets-persistent (or just ipset). Why two? Well one wants to control reloading of both separately (e.g. when the files change). Of course the iptables-persistent needs to depend on the ipsets-persistent because the sets must be there first. Second... the ipsets broken is IMHO broken as it does not provide a real restore command as iptables-restore does. "ipsets restore" is merely and additive merge in most cases... actually it just executes each line of the fed in file,... but it doesn't remove any old sets (which is admittedly not possible when they're still in use... but worse... it does not even remove old entries). I had a longer discussion[0] with upstream but apparently he shows no insight that his current restore operation is useless... Now making a real restore is tricky to impossible. Tricky, because a simple: ipset flush ipset destroy ipset restore < foo is not enough. Even though it seems to to just what is wanted... there is a considerable amount of time where no entries are in place... and connections would fail. And it doesn't handle at all that sets which are in use cannot be destroyed. Attached is a shell routine, which does some smarter restore... it normally adds new sets... it adds all sets who already exist with a _tmp_ prefix and then swaps the contents (which is atomic) and then tries to flush/destroy the now old _tmp_ sets (which should in principle always work). It then tries to flush/destroy completely gone sets... which may not work, when these are still in use by iptables rules. The shell function is called with no argument... and might be reused in an init script. Testing is welcomed. Cheers, Chris. [0] http://marc.info/?t=135592953800004&r=1&w=2
restore_ipsets.sh
Description: application/shellscript
smime.p7s
Description: S/MIME cryptographic signature
