Comments (6)
@abelbeck : Any ideas?
from aif.
Just to clarify, only "new" firewall traffic will be dropped, "active" sessions will be allowed to continue while the firewall is reloaded... including blocked-hosts and all other parts of the firewall. We currently do this to make sure an unwanted firewall state does not establish itself with a half-baked set of firewall rules.
I suspect the problem isn't with blocked-hosts, unless the user has thousands of entries, since it uses iptables-restore to add the rules as quickly as iptables allows, the total rule rebuilding process of a restart is in the "block new traffic" mode.
My only suggestion is to define all rules of a restart via an iptables-restore to minimize the time it takes, but that would be a disruptive change from how we do it currently. Should there be an iptables rule error, it would be difficult which rule(s) it is with an iptables-restore instead of the current realtime iptables calls.
from aif.
To be honest: This is a user bug report, I didn't verify it myself so this may not be our turf...
from aif.
I did some more thinking about the issue and I think the reporter has a point: ideally we shouldn't drop any new traffic either while loading blocked hosts. Especially with long lists this can be (very) undesirable.
from aif.
@arnova I'm in the process of adding optional ipset
support when IPTABLES_IPSET=1
is defined.
Not only is this much faster, but 'sets' can be swapped, so during force-reload the old set can be still active while the new set is being created, then swapped and the old set destroyed. No need to drop new traffic during force-reload.
Works quite nicely in my testing, down the road we can make this the default but we need more testing.
from aif.
Fixed in 2.0.1g with IPTABLES_IPSET=1
from aif.
Related Issues (20)
- TCP_OPEN restrict to certain interfaces HOT 4
- AIF - Feature request - chain load other script/command HOT 2
- Error: either "to" is duplicate, or "equalize" is garbage HOT 5
- Plugin loopback_nat not loading properly? HOT 1
- Missing support for docker HOT 3
- support for AnyIP? HOT 1
- No iptables/ip6tables found at Debian 10 (2021/03/26) HOT 8
- IPSET/NETSET support in HOST_OPEN_TCP HOT 2
- aif 2.03 doesn't start on debian buster HOT 5
- Ubuntu 22.04 with libvirtd, the bridge interface 'virbr0' does not start automatically HOT 3
- AIF falling back to conntrack legacy automatic helper in Debian with kernel 6.0 and higher HOT 5
- nftables as aif backend HOT 1
- Disable "Dropped INPUT packet" logging? HOT 5
- AIF blocking nimble HOT 2
- Pings on the internal network to the firewall server are being blocked. HOT 5
- # Warning: iptables-legacy tables present, use iptables-legacy-save to see them HOT 1
- One "catch all" LOGging is still in effect after disabling ALL LOGs in the config HOT 2
- Manpages still mention Arno's previous email address
- multiroute multiple ISP, individual snat and multiple routing tables HOT 1
- Proxmox unprivileged container problem
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aif.