On Tue, 26 Feb 2013 22:22:02 +0000 Matt Joyce <mjo...@mttjocy.co.uk> wrote:
> The script is attached with comments, note that this version works
> pretty quickly because it doesn't go through and add them line by line
> every load, instead it compares the sorted new list against ipset list
> using comm to find added and deleted entries then only processes
> those, as a sanity check it will use md5sum if available to confirm
> the updated ipset matches checks the md5sum of the two lists match
> after updating provided the md5sum binary is installed.
That's a good idea about comparing the two as a means to save
processing time. I have two questions:
1. Did you actually compare the time it takes to build an ipset
from scratch (just by processing the text file line by line) versus the
time it takes to make comparisons and modifications as you have it?
What was the time differential?
Did you also consider using 'diff' and 'patch'? If you tried that, was
there a difference?
2. In my script, I opted to build the new list as a "temporary
ipset" and then simply swap it out with the one being used in the live
firewall:
ipset swap ${temp_ipset} ${firewall_ipset}
ipset destroy ${temp_ipset}
That's effectively an instantaneous transaction. My theory was that
this would minimize actual interference with the running firewall.
I only looked at it briefly, but is your script actually carrying out
atomic add and delete operations to the ipset in use by the running
firewall? Won't this cause some blocking (I assume ipset uses some
kind of locking to prevent simultaneous modification and testing of an
ipset) and thereby, over the course of so many transactions, delay the
processing of packets? Why wouldn't it be better to build a temporary
ipset and then swap it out?
3. Not a question: as to shorewall integration, I avoided it. I just
used my distro's rc system to require ipsets to be up (as a service)
before shorewall.
Thanks for sharing your script. I got a couple of good ideas from it.
I linked to mine the other day, but they're at:
http://forums.gentoo.org/viewtopic-t-863121.html
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
