© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
Unfortunately, this isn't as easy as it seems. iptables save/restore have very different semantics from ipset save/restore. iptables starts from an empty state and loads the specified rules. ipset on the other hand starts from the *CURRENT* state. At system boot time, this will be empty, so you will need to create ipsets and then populate them. Loading new rules errors out if you try to create a set that exists, destroy a set that either doesn't exist or is referenced by iptables, swap sets with one that doesn't exist, or rename to one that does exist.
The right solution feels like making it like iptables restore where it populates rules and then swaps them into place, or changing semantics so that you have things like "destroy if exists" and have "save" emit that. Or "swap or rename" so that you could populate rules and then put them in place.
My current plan is to make an /etc/ipset.d directory, and have files in there that do the delete or create and ignore them if they already exist. One file for each rule to make a known state, then the file that loads from the known state.