6}tables-restore -n with existing user defined chain
xkr47 at outerspace.dyndns.org
Thu May 19 17:43:58 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Quoting Charlie Brady on 2005-05-18 16:07 UTC:
> I want to redefine an existing chain atomically. I can't do that with
> the iptables command, but can almost do it with iptables-restore -n.
> When I try, iptables barfs because the chain already exists. Duh! Yeah,
> I know it exists, but I want to redefine it.
One option is to make a new version with a new name and then atomically
replace jumps to the old version to use the new version:
iptables -N INPUT0
iptables -A INPUT0 ...
iptables -N FOOBAR0
iptables -A FOOBAR0...
iptables -A INPUT0 ... -j FOOBAR0
iptables -A INPUT -j INPUT0
switch to new:
iptables -N INPUT1
iptables -A INPUT1 ...
iptables -N FOOBAR1
iptables -A FOOBAR1...
iptables -A INPUT1 ... -j FOOBAR1
iptables -R INPUT 1 -j INPUT1
# cleanup (could be replaced by some automatic loop finding all chains
# named something ending in "0")
iptables -F INPUT0
iptables -X INPUT0
iptables -F FOOBAR0
iptables -X FOOBAR0
It would probably be rather easy to create some wrappers that manage the
versioning.. Also, two versions would be enough (0 and 1).
I might just go ahead and try something like this myself, actually.. :)
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter-devel