Michael Orlitzky <mich...@orlitzky.com> wrote:
> On 10/13/2013 06:08 AM, Martin Vaeth wrote:
>>>> 5. You can't script iptables-restore!
>>>
>>> Well, actually you can script iptables-restore.
>>
>> For those who are interested:
>> net-firewall/firewall-mv from the mv overlay
>> (available over layman) now provides a separate
>> firewall-scripted.sh
>> which can be conveniently used for such scripting.
>>
> [...]
> If you have a million rules and you need to wipe/reload them all
> frequently you're probably doing something wrong to begin with.
I don't know how this is related with the discussion.
The main advantage of using iptables-restore is avoidance of
race conditions. A secondary advantage is a speed improvement;
in my case, the machine boots about 2 seconds faster which can
be a considerable advantage if you start virtual machines.
> With bash [...]
(I would use a POSIX shell because it is considerably faster,
but this need not be discussed here.)
That's why I said that it can be scripted
(which was my motivation to write firewall-scripted.sh):
firewall-scripted.sh (or some similar script) gives you exactly
the same advantages, but without races, and faster.
In your example:
> function static_nat() {
> iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}"
> iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}"
> }
Essentially, you just have to replace "iptables" by "FwmvTables 4".
If you are too lazy to use a text editor or to replace "iptables"
by a variable (like $iptables) you can do this even by
defining the function:
iptables() {
FwmvTables 4 "${@}"
}
Then you just put in front of your script the line
. firewall-scripted.sh
and in the end (or before you call exit):
FwmvSet 4
That's it...
> I'm not saying you can't do all of this with iptables-restore, just that
> you're punishing yourself for little benefit if you do.
*Using* firewall-scripted.sh is as convenient as using iptables directly
(you just replace one command and add two lines to your script).
Of course, the disadvantage is that some day firewall-scripted.sh might
break with iptables (and that maybe the script still has bugs...).
As I said, it would be better if something similar would be provided
by iptables itself. But the advantages are clear.
