Created attachment 356798 [details, diff] add reload() functionality to /etc/init.d/ipset Please update ipset/files/ipset.initd-r2 with the attached patch that adds a reload() function. With this patch, one can more-or-less atomically reload the saved ipset list (if it has been modified by other tools, etc) with: /etc/init.d/ipset reload Without this, when an iptables policy depends on using ipsets, it is tricky to reload the sets. Any active reference to an ipset in iptables rules will prevent you from just doing an '/etc/init.d/ipset restart' (or 'stop' && 'start'). You basically need to do: init.d/iptables stop && init.d/ipset restart && init.d/iptables start But this has lots of issues; the firewall is completely disabled during the transition. Another option is to zap all existing ipsets w/o deleting them, and then repopulate them, but this is still non-atomic wrt each set list, and leaves the firewall behaving other than the administrator may expect. This reload() function behaves from the outside very similarly to how iptables' reload() function works: reloads sets from /var/lib/ipset/rules-save Under the hood it is more complicated, for the above reasons (can't just destroy and reload; don't want to zero out and rebuild).
Created attachment 357118 [details, diff] add reload() functionality to /etc/init.d/ipset Updated: correctly handle an empty list of current ipsets.
Thanks, inCVS, minor improvements too.
