On Sun, Nov 15, 2020 at 02:50:09PM +0000, Michael Tremer (michael.tremer(a)ipfire.org) wrote:

> > deactivating these rules would need a complete reboot!? Or do I
> > overlook something?
> 
> Yes, this would be true.

Why? After all iptables supports deleting (-D) or replacing (-R)
rules anywhere any chain. Turning rules in a custom chain on
or off could be done with a single iptables command.

OK, I guess that'd require non-trivial amount of coding in IPFire.

> Maybe we should in general move these things to not require a reboot?

I'd like that. BTW unbound also supports changes without total reload.

> I believe reloading the whole firewall is something we can support right now.

That would already be helpful.

-- 
Tapani Tarvainen