Hi,
On 15 Nov 2020, at 15:44, Tapani Tarvainen ipfire@tapanitarvainen.fi wrote:
On Sun, Nov 15, 2020 at 02:50:09PM +0000, Michael Tremer (michael.tremer@ipfire.org) wrote:
deactivating these rules would need a complete reboot!? Or do I overlook something?
Yes, this would be true.
Why? After all iptables supports deleting (-D) or replacing (-R) rules anywhere any chain. Turning rules in a custom chain on or off could be done with a single iptables command.
OK, I guess that'd require non-trivial amount of coding in IPFire.
It is in theory possible, but in practise would be surgically removing firewall rules.
If anyone has some custom changes in here, or if you install an update and the newer version of the script is expecting some changes, this won’t work any more.
Therefore the best way is to have a chain that can be flushed and recreated.
Maybe we should in general move these things to not require a reboot?
I'd like that. BTW unbound also supports changes without total reload.
Which ones?
I believe reloading the whole firewall is something we can support right now.
That would already be helpful.
-- Tapani Tarvainen