AIF drops all traffic on force-reload about aif HOT 6 CLOSED

@abelbeck : Any ideas?

from aif.

Just to clarify, only "new" firewall traffic will be dropped, "active" sessions will be allowed to continue while the firewall is reloaded... including blocked-hosts and all other parts of the firewall. We currently do this to make sure an unwanted firewall state does not establish itself with a half-baked set of firewall rules.

I suspect the problem isn't with blocked-hosts, unless the user has thousands of entries, since it uses iptables-restore to add the rules as quickly as iptables allows, the total rule rebuilding process of a restart is in the "block new traffic" mode.

My only suggestion is to define all rules of a restart via an iptables-restore to minimize the time it takes, but that would be a disruptive change from how we do it currently. Should there be an iptables rule error, it would be difficult which rule(s) it is with an iptables-restore instead of the current realtime iptables calls.

from aif.

To be honest: This is a user bug report, I didn't verify it myself so this may not be our turf...

from aif.

I did some more thinking about the issue and I think the reporter has a point: ideally we shouldn't drop any new traffic either while loading blocked hosts. Especially with long lists this can be (very) undesirable.

from aif.

@arnova I'm in the process of adding optional ipset support when IPTABLES_IPSET=1 is defined.

Not only is this much faster, but 'sets' can be swapped, so during force-reload the old set can be still active while the new set is being created, then swapped and the old set destroyed. No need to drop new traffic during force-reload.

Works quite nicely in my testing, down the road we can make this the default but we need more testing.

from aif.

Fixed in 2.0.1g with IPTABLES_IPSET=1

from aif.