Optimizing rule loading, iptables-1.3.0 and iptables-batch

[Henrik Nordstrom]

On Tue, 7 Sep 2004, Robert Hardy wrote:

> iptables-batch has the advantage of being able to batch install a single
> chain (or part of a chain) of a table in a more optimal manner. This was
> sorely lacking in iptables-restore. Even when patched with the recent "fixes
> patch" off the devel list, iptables-restore still only allows you to save
> and restore whole tables.

Not entirely true. There is the --noflush (-n) option to iptables-restore 
which allows you to do any kinds of operations you please.

Load a user chain:

iptables-restore --noflush << EOF
*filter
-F userchain
-A userchain .....
COMMIT
EOF

Insert a set of rules in the middle of an existing chain:

iptables-restore --noflush << EOF
*filter
-I userchain 4 .....
-I userchain 5 ....
-I userchain 6 ....
COMMIT
EOF


It is true that iptables-save only saves a complete table however.

> While it does compile nicely, it unforunately segfaults after every
> command. Even something simple like iptables -L with no rules loaded.

The iptables userspace is currently being rewritten quite extensively.

Regards
Henrik