0

can I somehow reload firewall rules using iptables-save definition, without clearing the current runtime version counters? I want some way to only add and remove different rules and keep the old ones in place with counters intact. iptables-restore -n is not clever enough.

has anyone solved this issue before?

my monitoring is bound to firewall rules and counters and clearing them makes big spike in rrdtool charts, because rrdtool thinks it is integer overflow, not firewall update.

mighq
  • 355
  • 1
  • 3
  • 11
  • 1
    What about `-c`, the actual switch to restore counters? If that doesn't work either, you might want to explain what's not clever about it. – gparent Mar 28 '13 at 15:35

1 Answers1

1

There are many options, you just need to change how to manage the firewall.

A couple ideas

  • Don't 'reload' the firewall. Issue commands to add/insert/remove rules as required.
  • Re factor your firewall so the counters are in a separate chain from the filtering rules. Don't flush/update that particular chain.
  • Use iptables-save to export the current rules, update the exported rule set, and restore them.
  • As @gparent suggested use the something to save the counters, and then use the -c option to restore them during a reload.
Zoredache
  • 130,897
  • 41
  • 276
  • 420