3

In a project I happen to need to adjust iptables rules programatically. After some research (involving this and that), I have concluded that it would be suitable to generate a iptables-save compatible output and import it using iptables-restore. Fine so far.

However I would very much like to make use of ipsets, because they greatly simplify the result chains. So at the time of update I need to atomically flush all the iptables & ipset data and put a new set of entries in. How can I do that?

The only solution I can think of is to create new ipsets first (not atomically while they are not being used yet), then atomically flush iptables with references to the old ipsets and then import the new chains with references to the new ipsets. (In one atomic swipe). After that I can non-atomically delete old ipsets as they are no longer referenced and used.

However, such proposed solution seems quite complicated and overheady..

Does anyone know, how this could be done in any better way?

Community
  • 1
  • 1
dk1844
  • 265
  • 2
  • 12
  • 1
    I don't think there's too much overhead in your proposed solution of creating a new set and destroying the old. Alternatively you would need to iterate through all the IPs of the current set to evaluate whether to keep or discard, and finally add any IPs not contained in the "old" set... which seems more complicated really... – darwin Mar 25 '13 at 21:21
  • 3
    Did you try the `swap` ipset command, to swap 2 set each-other ? – Xorax Jun 26 '17 at 08:16
  • @Xorax You should write an answer. The `swap` is definitely the answer to that issue. – Alexis Wilke Oct 08 '22 at 15:35

0 Answers0