Do you clear the old entries from the chain ?

[bobymicroby]

Hi @tam7t

I had a quick look ad the code, and it seems to me that you only append rules to the chain. Droplets are ephemeral, so we will end up with a lot of allowed droplets, even after we have destroyed them and they already belong to Eve.

Regards, B.

[tam7t]

Each run of droplan will first clear the chain before adding peers:

https://github.com/tam7t/droplan/blob/master/tables.go#L43

[bobymicroby]

Great . Go is still a bit cryptic for me :)

On Wed, Nov 2, 2016, 02:48 Tommy Murphy [email protected] wrote:

Each run of droplan will first clear the chain before adding peers:

https://github.com/tam7t/droplan/blob/master/tables.go#L43

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/tam7t/droplan/issues/35#issuecomment-257742211, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4nV6YrfoReWm0lgYfao78HNzoH8H7Lks5q593BgaJpZM4Kl4xv .

[josegonzalez]

Does this mean that there is a period of time during which the network is left unsecured? Seems like a better tact would be to load the existing chain, modify it in-memory, and apply changes as necessary.

[tam7t]

No, the chain that is cleared only has the ACCEPT rules, the default rule is DROP on the interface.

[josegonzalez]

So then network traffic will blip?

[tam7t]

@josegonzalez that is addressed by https://github.com/tam7t/droplan/issues/11 with the -A INPUT -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT rule so that established connections are not dropped.

[josegonzalez]

Right but I guess new connections will break during the time it takes to update the chain, correct?