The other day Sean mentioned to me in passing about iptables-restore being able to restore all the rules in a single atomic operation. For some reason I didn't know about that being the case, so I dug around a bit...
Sure enough. iptables-restore does use one atomic operation to put the newly loaded iptables rules in place. I think the reason I was thinking it did not is the RHEL/CentOS/Fedora iptables init script. Depending on how you have /etc/sysconfig/iptables-config setup it could unload or reload kernel modules on restart, and depending on how things go, you could have a hand or long pause while one of those modules unloads and reloads.
It's also worth noting that single append/insert/delete iptables operations are also atomic. There is not a window there where all the rules are reloading, the entire table plus your new rule is in effect at once.
So, rejoice if you don't want any hiccups when changing out iptables rulesets, just use iptables-restore and your rules will all magically be in place at once. I guess it makes sense that iptables would operate this way, but it's something I didn't know and though I would pass along. :)comments powered by Disqus