[Patch] ip{, 6}tables-restore -n with existing user defined chain

[Jonas Berlin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting Charlie Brady on 2005-05-18 16:07 UTC:
> 
> I want to redefine an existing chain atomically. I can't do that with
> the iptables command, but can almost do it with iptables-restore -n.
> When I try, iptables barfs because the chain already exists. Duh! Yeah,
> I know it exists, but I want to redefine it.

One option is to make a new version with a new name and then atomically
replace jumps to the old version to use the new version:

original setup:

  iptables -N INPUT0
  iptables -A INPUT0 ...
  ...
  iptables -N FOOBAR0
  iptables -A FOOBAR0...
  iptables -A INPUT0 ... -j FOOBAR0
  ...
  iptables -A INPUT -j INPUT0

switch to new:

  iptables -N INPUT1
  iptables -A INPUT1 ...
  ...
  iptables -N FOOBAR1
  iptables -A FOOBAR1...
  iptables -A INPUT1 ... -j FOOBAR1
  ...
  iptables -R INPUT 1 -j INPUT1
  # cleanup (could be replaced by some automatic loop finding all chains
  #          named something ending in "0")
  iptables -F INPUT0
  iptables -X INPUT0
  iptables -F FOOBAR0
  iptables -X FOOBAR0

It would probably be rather easy to create some wrappers that manage the
 versioning.. Also, two versions would be enough (0 and 1).

I might just go ahead and try something like this myself, actually.. :)

- --
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCjLQ7xyF48ZTvn+4RAhTbAKC5yYTZPxsEj9A3YH3RZZuv0TzQlACgytFN
T2G76lKiEO5cWBAQ/PKVmXA=
=W20U
-----END PGP SIGNATURE-----