|
List Info
Thread: iptables namespaces
|
|
| iptables namespaces |
 
Belgium |
2007-09-07 13:02:05 |
Hi again,
I've been thinking about some kind of namespaces in iptables
where one can
switch from one set of rules to another set of rules by
flicking a switch.
In our current setup, we have about 7000 firewall rules.
Every time the
rules get updated, all of them are removed and uploaded
again by a script.
Loading all these rules takes a while (let's say a minute,
I'm not sure).
The result is that for 1 minute, some traffic can get
through the firewall rules
while other can not. We have had problems with spam getting
through to
mailservers behind the firewall, because not all firewall
rules were loaded.
Using namespaces would make it possible to load all rules in
another namespace
and when all rules are loaded, a switch can be toggled to
switch over to the new
ruleset atomically.
As far as I know, this is not possible with the regular
tools at the moment.
Every time a rule gets added, the old rules are fetched from
the kernel, the new
rule is added and the entire resulting new ruleset is
uploaded to kernelspace
again. But it's not possible to collect all 7000 rules in
userspace only, using
the iptables command, and then sending them all to userspace
in one big batch.
I can see 2 ways that this can work:
* By providing namespaces in the kernel, one can easily
select a namespace with
e.g. an ioctl and then upload rules to that namespace
using iptables.
* By providing a "staging area" in userspace to
collect the entire ruleset
before sending the batch to kernelspace.
Assuming that something like this does not yet exist, which
approach would be
best ?
kind regards,
-- Steven
|
|
| Re: iptables namespaces |
 
Germany |
2007-09-07 13:46:42 |
Am Friday, den 7 September hub Steven Van Acker folgendes
in die Tasten:
Hi!
> I've been thinking about some kind of namespaces in
iptables where one can
> switch from one set of rules to another set of rules by
flicking a switch.
> In our current setup, we have about 7000 firewall
rules. Every time the
> rules get updated, all of them are removed and uploaded
again by a script.
> Loading all these rules takes a while (let's say a
minute, I'm not sure).
> The result is that for 1 minute, some traffic can get
through the firewall rules
> while other can not. We have had problems with spam
getting through to
> mailservers behind the firewall, because not all
firewall rules were loaded.
That problem can be solved.
man iptables-restore
> Using namespaces would make it possible to load all
rules in another namespace
> and when all rules are loaded, a switch can be toggled
to switch over to the new
> ruleset atomically.
That would be most probably nothing different to a
iptables-restore.
If you want to emulate that, load your 7000 iptables rules
on a
temp-machine, use iptables-save, copy the file to your
firewalls and run
iptables-restore
Ciao
max
--
Follow the white penguin.
|
|
| Re: iptables namespaces |
Belgium |
2007-09-07 14:06:01 |
On Fri, Sep 07, 2007 at 08:46:42PM +0200, Maximilian Wilhelm
wrote:
> > The result is that for 1 minute, some traffic can
get through the firewall rules
> > while other can not. We have had problems with
spam getting through to
> > mailservers behind the firewall, because not all
firewall rules were loaded.
>
> That problem can be solved.
> man iptables-restore
iptables-restore takes a file as input, not a series of
iptables
commands. This means I would have to edit the file manually,
not
something I want to do with 7000 firewall rules.
> > Using namespaces would make it possible to load
all rules in another namespace
> > and when all rules are loaded, a switch can be
toggled to switch over to the new
> > ruleset atomically.
>
> That would be most probably nothing different to a
iptables-restore.
> If you want to emulate that, load your 7000 iptables
rules on a
> temp-machine, use iptables-save, copy the file to your
firewalls and run
> iptables-restore
That looks somewhat complicated to me. Loading the rules on
another
machine, with the only purpose to generate an
iptables-restore file,
then copying that to the real firewall and loading it
there.
iptables-restore can indeed be a solution, but then only if
iptables can
use it as a staging area. That way you can tweak the
firewall config
with the iptables command untill it fits your needs, before
sending the
entire file to kernelspace with iptables-restore.
Also, this assumes that nothing will go wrong when entering
the
firewall rules into kernel space, which means userspace and
kernelspace
need to be in synch module-wise
kind regards,
-- Steven
|
|
| Re: iptables namespaces |
Germany |
2007-09-08 02:26:09 |
On Sep 7 2007 19:06, Steven Van Acker wrote:
>> > The result is that for 1 minute, some traffic
can get through the firewall rules
>> > while other can not. We have had problems with
spam getting through to
>> > mailservers behind the firewall, because not
all firewall rules were loaded.
>>
>> That problem can be solved.
>> man iptables-restore
>
>iptables-restore takes a file as input, not a series of
iptables
>commands.
Yes, it takes a file. And if you looked at it, yes, it takes
iptables
commands! (besides the table and counter markers)
>This means I would have to edit the file manually, not
>something I want to do with 7000 firewall rules.
Where is the difference between...
iptables -A INPUT -m foobar -j FOOBAR
and adding
-A INPUT -m foobar -j FOOBAR
to the
*filter
section? (Otherwise, write a script, as suggested, or use a
GUI 
Jan
--
|
|
| Re: iptables namespaces |
Belgium |
2007-09-08 08:28:11 |
On Sat, Sep 08, 2007 at 09:26:09AM +0200, Jan Engelhardt
wrote:
> >iptables-restore takes a file as input, not a
series of iptables
> >commands.
>
> Yes, it takes a file. And if you looked at it, yes, it
takes iptables
> commands! (besides the table and counter markers)
>
> >This means I would have to edit the file manually,
not
> >something I want to do with 7000 firewall rules.
>
> Where is the difference between...
>
> iptables -A INPUT -m foobar -j FOOBAR
>
> and adding
>
> -A INPUT -m foobar -j FOOBAR
>
> to the
>
> *filter
>
> section? (Otherwise, write a script, as suggested, or
use a GUI
Hi,
it's remarkable that we have never tried it this way
before.
I tested adding 10000 lines with iptables, then using
iptables-save and
iptables-restore. The difference in speed is amazing. With
iptables it
takes 5 minutes and 10 seconds, while iptables-restore takes
0.3
seconds.
Moreover, if there is an error in iptables-restore, none of
the changes
are committed to kernelspace. So I no longer need to use
fancy checking
while I'm loading my firewall rules.
Thank you both for the information 
kind regards,
-- Steven
|
|
| Re: iptables namespaces |
Germany |
2007-09-08 08:59:50 |
On Sep 8 2007 13:28, Steven Van Acker wrote:
>
>it's remarkable that we have never tried it this way
before.
>I tested adding 10000 lines with iptables, then using
iptables-save and
>iptables-restore. The difference in speed is amazing.
With iptables it
>takes 5 minutes and 10 seconds, while iptables-restore
takes 0.3
>seconds.
Well obviously. Because *for EACH* iptables command that you
run,
it does a load and store. That, by definition, takes
O(n*(n+1));
where iptables-restore is like O(n) for n rules.
Jan
--
|
|
| Re: iptables namespaces |
Germany |
2007-09-19 10:05:47 |
Steven Van Acker wrote:
> [...]
> Moreover, if there is an error in iptables-restore,
none of the changes
> are committed to kernelspace. So I no longer need to
use fancy checking
> while I'm loading my firewall rules.
Correct me if I'm wrong but IIRC the tables are still
committed
individually. Ie you cannot commit filter, nat and mangle in
one
run.
cu
Ludwig
--
(o_ Ludwig Nussel
//
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG
Nuernberg)
|
|
[1-7]
|
|