[Ipchains-dev] My (newbie) thoughts about netfilter
Paul Rusty Russell
Paul.Russell@rustcorp.com.au
Tue, 31 Aug 1999 12:25:36 -0700
In message <E11LQ93-0003kA-00@mailgate.rz.uni-karlsruhe.de> you write:
> >> Is there an operation to atomically swap two chains? That way, one
> >
> >Atomically replace the rule pointing to the chain.
>
> That way, you need to have two chains, A and B. One is active, the
> other is being worked on. You'd need to keep track of which is the
> active version. I did this with ipchains, it's a pain to maintain.
I agree 8-(. Would a `--rename-chain' option to iptables help? It'd
be convoluted:
# iptables --rename-chain A tmp && \
iptables --rename-chain B A && \
iptables --rename-chain tmp B
But it'd work.
> >It's merely a pass-through rule; LOG is a side effect. The next rule
> >will be examined.
>
> So I'd probably have a chain logdeny with two unconditional rules?
>
> ipchains -N logdeny
> ipchains -A logdeny -j LOG
> ipchains -A logdeny -j DENY
Exactly. In fact, I'm tempted to separate limit from log (that way
you can use it to limit other things), something like:
# ipchains -N logdeny
# ipchains -A logdeny -j LIMIT --limit-rate 5 1
# ipchains -A logdeny -j LOG
# ipchains -A logdeny -j DENY
Enjoy,
Rusty.
--
Hacking time.