On Thu, 2008-01-31 at 20:25 +0000, Simon Hobson wrote: > Brian J. Murrell wrote: > > >I still think fragments of configuration that can be applied/de-applied > >on interface addition/removal is an interesting idea. Oh, but to have > >the time... ~sigh~ > > You can always trigger a shorewall reload. So taking Debian as an > example, in your /etc/networks/interfaces file you could do something > like : > > iface eth0 inet static > ... > up shorewall restart > down shorewall restart
Yes, indeed, that's exactly the kind of hook where I'd put a fragment script fragment generated by shorewall to do the necessary bits to add/remove that interface to the running configuration. > (I think that's the syntax). Then whenever you take the interface up > or down you will automatically restart shorewall. Right. I'm just proposing taking a more surgical approach. > I believe shorewall > has locking so it won't break anything if two different processes > both call for a restart. That's good to know. > Particularly now we have the Perl version, reloads are quite quick so > it's hardly any problem to reload the whole thing. In my case, my target is a shorewall-lite machine, but yes, a "shorewall restore" is still quite quick at loading. My proposal is simply to modify the running configuration to just adjust for the interface change so that there is less disruption. > By way of comparison, I've ported an accounting box at work to the > newer version. As well as traffic shaping, it does accounting for in > and out traffic on an entire class C - so 510 accounting rules or so. > Hardware is Pentium III 1GHz and whilst the older version took about > 90 seconds to load, the newer Perl version loads it in about 6 > seconds. Right. But there is a scaling issue here. As the number of rules grows and the number of interface changes grows so does the periodic outages due to entire ruleset/routing/traffic control reloads. b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
