Do you clear the old entries from the chain ?

[bobymicroby]

Hi @tam7t

I had a quick look ad the code, and it seems to me that you only append rules to the chain.
Droplets are ephemeral, so we will end up with a lot of allowed droplets, even after we have destroyed them and they already belong to Eve.

Regards, B.

[tam7t]

Each run of droplan will first clear the chain before adding peers:

https://github.com/tam7t/droplan/blob/master/tables.go#L43

[bobymicroby]

Great . Go is still a bit cryptic for me :)

On Wed, Nov 2, 2016, 02:48 Tommy Murphy notifications@github.com wrote:

Each run of droplan will first clear the chain before adding peers:

https://github.com/tam7t/droplan/blob/master/tables.go#L43

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#35 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AA4nV6YrfoReWm0lgYfao78HNzoH8H7Lks5q593BgaJpZM4Kl4xv
.

[josegonzalez]

Does this mean that there is a period of time during which the network is left unsecured? Seems like a better tact would be to load the existing chain, modify it in-memory, and apply changes as necessary.

[tam7t]

No, the chain that is cleared only has the ACCEPT rules, the default rule is DROP on the interface.

[josegonzalez]

So then network traffic will blip?

[tam7t]

@josegonzalez that is addressed by #11 with the
-A INPUT -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
rule so that established connections are not dropped.

[josegonzalez]

Right but I guess new connections will break during the time it takes to update the chain, correct?