I need a robust/reliable/elegant way to handle any error conditions while re-loading firewall rules, some background:
- our servers are using whitelist mechanism, which means there should be a large volume of rules if some server need to talk many different destinations.
- we have another tool to generate a firewall rule file, which will feed to iptables/ipfilter, with very rare chance that the file may be malformed.
- since the firewall rule number could be very huge, iptables/ipfilter may fail to load the firewall rule file due to resource limitation on some of our legacy hardware, for example, the memory may be not enough under some cases while reloading more then 20k rules altogether.
so my questions are:
-
Are there any existing tools that can be used to check the syntax of the firewall rules before actually loading them?
-
Are there any ways to make the reloading process atomic, say, it either reloads the new rules successfully or just reserve the previous healthy rule set?
-
How can we make sure given the current running environment and the rule set, the reloading will be sure to success? Or are there any tools to give me some estimation that the reload is likely to success/fail?
Any suggestions are warmly welcome. Thanks in advance.
It’s been said that iptables-restore is atomic. I cannot confirm that, but assuming that were true, then it would seems like a sensible approach.
Once validated, use
iptables-saveto dump out the rule-set.Double check the rule-set on your production machine using
iptables-restore -t:Load in the new rule-set on your production machine.