tam7t
commented
8 years ago Each run of droplan will first clear the chain before adding peers:
Open bobymicroby opened 8 years ago
tam7t
commented
8 years ago Each run of droplan will first clear the chain before adding peers:
bobymicroby
commented
8 years ago Great . Go is still a bit cryptic for me :)
On Wed, Nov 2, 2016, 02:48 Tommy Murphy notifications@github.com wrote:
Each run of droplan will first clear the chain before adding peers:
https://github.com/tam7t/droplan/blob/master/tables.go#L43
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/tam7t/droplan/issues/35#issuecomment-257742211, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4nV6YrfoReWm0lgYfao78HNzoH8H7Lks5q593BgaJpZM4Kl4xv .
josegonzalez
commented
7 years ago Does this mean that there is a period of time during which the network is left unsecured? Seems like a better tact would be to load the existing chain, modify it in-memory, and apply changes as necessary.
tam7t
commented
7 years ago No, the chain that is cleared only has the ACCEPT rules, the default rule is DROP on the interface.
josegonzalez
commented
7 years ago So then network traffic will blip?
tam7t
commented
7 years ago @josegonzalez that is addressed by https://github.com/tam7t/droplan/issues/11 with the
-A INPUT -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
rule so that established connections are not dropped.
josegonzalez
commented
7 years ago Right but I guess new connections will break during the time it takes to update the chain, correct?
Hi @tam7t
I had a quick look ad the code, and it seems to me that you only append rules to the chain. Droplets are ephemeral, so we will end up with a lot of allowed droplets, even after we have destroyed them and they already belong to Eve.
Regards, B.