arnova
commented
11 years ago @abelbeck : Any ideas?
Closed arnova closed 8 years ago
arnova
commented
11 years ago @abelbeck : Any ideas?
abelbeck
commented
11 years ago Just to clarify, only "new" firewall traffic will be dropped, "active" sessions will be allowed to continue while the firewall is reloaded... including blocked-hosts and all other parts of the firewall. We currently do this to make sure an unwanted firewall state does not establish itself with a half-baked set of firewall rules.
I suspect the problem isn't with blocked-hosts, unless the user has thousands of entries, since it uses iptables-restore to add the rules as quickly as iptables allows, the total rule rebuilding process of a restart is in the "block new traffic" mode.
My only suggestion is to define all rules of a restart via an iptables-restore to minimize the time it takes, but that would be a disruptive change from how we do it currently. Should there be an iptables rule error, it would be difficult which rule(s) it is with an iptables-restore instead of the current realtime iptables calls.
arnova
commented
11 years ago To be honest: This is a user bug report, I didn't verify it myself so this may not be our turf...
arnova
commented
11 years ago I did some more thinking about the issue and I think the reporter has a point: ideally we shouldn't drop any new traffic either while loading blocked hosts. Especially with long lists this can be (very) undesirable.
abelbeck
commented
8 years ago @arnova I'm in the process of adding optional ipset support when IPTABLES_IPSET=1 is defined.
Not only is this much faster, but 'sets' can be swapped, so during force-reload the old set can be still active while the new set is being created, then swapped and the old set destroyed. No need to drop new traffic during force-reload.
Works quite nicely in my testing, down the road we can make this the default but we need more testing.
abelbeck
commented
8 years ago Fixed in 2.0.1g with IPTABLES_IPSET=1
Due to the implementation of our current blocked-hosts batch loader, we drop all firewall traffic on force-reload because we temporarely set the fw policy to drop while reloading. Especially with large lists of blocked hosts this is undesireable. Perhaps we should fix this by using a passive and an active chain?