[Patch] ip{,
6}tables-restore -n with existing user defined chain
Carl-Daniel Hailfinger
c-d.hailfinger.devel.2005 at gmx.net
Thu May 19 18:37:23 CEST 2005
Jonas Berlin schrieb:
> Quoting Charlie Brady on 2005-05-18 16:07 UTC:
>
>>>I want to redefine an existing chain atomically. I can't do that with
>>>the iptables command, but can almost do it with iptables-restore -n.
>>>When I try, iptables barfs because the chain already exists. Duh! Yeah,
>>>I know it exists, but I want to redefine it.
>
>
> One option is to make a new version with a new name and then atomically
> replace jumps to the old version to use the new version:
What about atomic rename instead?
> original setup:
>
> iptables -N INPUT0
> iptables -A INPUT0 ...
> ...
> iptables -N FOOBAR0
> iptables -A FOOBAR0...
> iptables -A INPUT0 ... -j FOOBAR0
> ...
> iptables -A INPUT -j INPUT0
>
> switch to new:
>
> iptables -N tmp0
> iptables -A tmp0 ...
> ...
> iptables -N tmp1
> iptables -A tmp1...
> iptables -A tmp0 ... -j tmp1
> ...
iptables --exchange-names tmp0:INPUT0,tmp1:FOOBAR0
> # cleanup (could be replaced by some automatic loop finding all chains
> # named something ending in "0")
> iptables -F tmp0
> iptables -X tmp0
> iptables -F tmp1
> iptables -X tmp1
What do you think?
Regards,
Carl-Daniel
More information about the netfilter-devel
mailing list