Michael Orlitzky <mich...@orlitzky.com> wrote: > On 10/13/2013 06:08 AM, Martin Vaeth wrote: >>>> 5. You can't script iptables-restore! >>> >>> Well, actually you can script iptables-restore. >> >> For those who are interested: >> net-firewall/firewall-mv from the mv overlay >> (available over layman) now provides a separate >> firewall-scripted.sh >> which can be conveniently used for such scripting. >> > [...] > If you have a million rules and you need to wipe/reload them all > frequently you're probably doing something wrong to begin with.
I don't know how this is related with the discussion. The main advantage of using iptables-restore is avoidance of race conditions. A secondary advantage is a speed improvement; in my case, the machine boots about 2 seconds faster which can be a considerable advantage if you start virtual machines. > With bash [...] (I would use a POSIX shell because it is considerably faster, but this need not be discussed here.) That's why I said that it can be scripted (which was my motivation to write firewall-scripted.sh): firewall-scripted.sh (or some similar script) gives you exactly the same advantages, but without races, and faster. In your example: > function static_nat() { > iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" > iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" > } Essentially, you just have to replace "iptables" by "FwmvTables 4". If you are too lazy to use a text editor or to replace "iptables" by a variable (like $iptables) you can do this even by defining the function: iptables() { FwmvTables 4 "${@}" } Then you just put in front of your script the line . firewall-scripted.sh and in the end (or before you call exit): FwmvSet 4 That's it... > I'm not saying you can't do all of this with iptables-restore, just that > you're punishing yourself for little benefit if you do. *Using* firewall-scripted.sh is as convenient as using iptables directly (you just replace one command and add two lines to your script). Of course, the disadvantage is that some day firewall-scripted.sh might break with iptables (and that maybe the script still has bugs...). As I said, it would be better if something similar would be provided by iptables itself. But the advantages are clear.